From bdf87e5c6babf0fe263358e6c509332842ecb811 Mon Sep 17 00:00:00 2001 From: earsdown Date: Thu, 11 Jun 2015 10:58:05 +1000 Subject: [PATCH 001/246] Option to configure ssh via augeas ssh provider --- .../sshclient_options_to_augeas_ssh_config.rb | 113 ++++++++++++++++ ...sshserver_options_to_augeas_sshd_config.rb | 123 ++++++++++++++++++ manifests/client.pp | 11 +- manifests/client/config.pp | 21 ++- manifests/init.pp | 19 ++- manifests/server.pp | 10 +- manifests/server/config.pp | 30 +++-- manifests/server/match_block.pp | 13 +- 8 files changed, 309 insertions(+), 31 deletions(-) create mode 100644 lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb create mode 100644 lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb diff --git a/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb b/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb new file mode 100644 index 00000000..e3a2daf6 --- /dev/null +++ b/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb @@ -0,0 +1,113 @@ +module Puppet::Parser::Functions + newfunction(:sshclient_options_to_augeas_ssh_config, :type => :rvalue, :doc => <<-'ENDHEREDOC') do |args| + This function will convert a key-value hash to a format understandable by the augeas sshd_config provider + It will also optionally deal with keys that should be absent, and inject static parameters if supplied. + + Usage: sshclient_options_to_augeas_ssh_config($options_present, $options_absent, $other_parameters) + - $options_hash is mandatory and must be a hash. + - $options_absent is optional and can be either a single value or an array. + - $other_parameters is optional and must be a hash. + + Example: + $options = { + 'Host *.example.com' => { + 'ForwardAgent' => 'yes', + 'BatchMode' => 'yes', + }, + 'ForwardAgent' => 'no', + 'BatchMode' => 'no', + 'StrictHostKeyChecking' => 'no', + } + $options_absent = ['StrictHostKeyChecking','NoneField'] + $other_parameters = { 'target' => '/etc/ssh/ssh_config' } + + $options_final_augeas = sshclient_options_to_augeas_ssh_config($options, $options_absent, $other_parameters) + + In this case, the value of $options_final_augeas would be: + + 'ForwardAgent *.example.com' => { + 'ensure' => 'present', + 'host' => '*.example.com', + 'key' => 'ForwardAgent', + 'value' => 'yes', + 'target' => '/etc/ssh/ssh_config', + } + 'BatchMode *.example.com' => { + 'ensure' => 'present', + 'host' => '*.example.com', + 'key' => 'BatchMode', + 'value' => 'yes', + 'target' => '/etc/ssh/ssh_config', + } + 'ForwardAgent' => { + 'ensure' => 'present', + 'key' => 'ForwardAgent', + 'value' => 'yes', + 'target' => '/etc/ssh/ssh_config', + } + 'BatchMode' => { + 'ensure' => 'present', + 'key' => 'BatchMode', + 'value' => 'yes', + 'target' => '/etc/ssh/ssh_config', + } + 'StrictHostKeyChecking' => { + 'ensure' => 'absent', + 'key' => 'StrictHostKeyChecking', + 'target' => '/etc/ssh/ssh_config', + } + 'NoneField' => { + 'ensure' => 'absent', + 'key' => 'NoneField', + 'target' => '/etc/ssh/ssh_config', + } + + Note how the word "Host" is stripped away. + + ENDHEREDOC + + if args.length < 1 + raise Puppet::ParseError,("sshclient_options_to_augeas_ssh_config: expects at least one argument") + end + + options = args[0] + unless options.is_a?(Hash) + raise Puppet::ParseError,("sshclient_options_to_augeas_ssh_config: first argument must be a hash") + end + + options_absent = args[1] if args[1] + other_parameters = args[2] if args[2] + if options_absent + unless options_absent.is_a?(Array) or options_absent.is_a?(String) + raise Puppet::ParseError,("sshclient_options_to_augeas_ssh_config: second argument, if supplied, must be an array or a string") + end + end + if other_parameters + unless other_parameters.is_a?(Hash) + raise Puppet::ParseError,("sshclient_options_to_augeas_ssh_config: third argument, if supplied, must be a hash") + end + end + + options_final_augeas = {} + options.each do |key1,value1| + if value1.is_a?(Hash) + value1.each do |key2,value2| + options_final_augeas["#{key2} #{key1.gsub("Host ","")}"] = { 'ensure' => 'present' } + .merge({'host' => key1.gsub("Host ","")}) + .merge({'key' => key2, 'value' => value2}) + .merge(other_parameters) + end + else + options_final_augeas[key1] = { 'ensure' => 'present' } + .merge({'key' => key1, 'value' => value1}) + .merge(other_parameters) + end + end + options_absent.each do |value| + options_final_augeas[value] = { 'ensure' => 'absent' }.merge({'key' => value}) + .merge(other_parameters) + end + return options_final_augeas + + end #newfunction +end #module diff --git a/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb b/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb new file mode 100644 index 00000000..92639c1e --- /dev/null +++ b/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb @@ -0,0 +1,123 @@ +module Puppet::Parser::Functions + newfunction(:sshserver_options_to_augeas_sshd_config, :type => :rvalue, :doc => <<-'ENDHEREDOC') do |args| + This function will convert a key-value hash to a format understandable by the augeas sshd_config provider + It will also optionally deal with keys that should be absent, and inject static parameters if supplied. + + Usage: sshserver_options_to_augeas_sshd_config($options_present, $options_absent, $other_parameters) + - $options_hash is mandatory and must be a hash. + - $options_absent is optional and can be either a single value or an array. + - $other_parameters is optional and must be a hash. + + Example: + $options = { + 'Match User www-data' => { + 'PasswordAuthentication' => 'yes', + 'X11Forwarding' => 'no', + }, + 'Match Group bamboo' => { + 'ForcedCommand' => '/bin/echo hello world', + }, + 'X11Forwarding' => 'yes', + 'DebianBanner' => '/etc/banner.net', + 'AllowGroups' => ["sshgroups", "admins"], + } + $options_absent = ['DebianBanner','NoneField'] + $other_parameters = { 'target' => '/etc/ssh/sshd_config' } + + $options_final_augeas = sshserver_options_to_augeas_sshd_config($options, $options_absent, $other_parameters) + + In this case, the value of $options_final_augeas would be: + + 'PasswordAuthentication User www-data' => { + 'ensure' => 'present', + 'condition' => 'User www-data', + 'key' => 'PasswordAuthentication', + 'value' => 'yes', + 'target' => '/etc/ssh/sshd_config', + } + 'X11Forwarding User www-data' => { + 'ensure' => 'present', + 'condition' => 'User www-data', + 'key' => 'X11Forwarding', + 'value' => 'no', + 'target' => '/etc/ssh/sshd_config', + } + 'ForcedCommand Group bamboo' => { + 'ensure' => 'present', + 'condition' => 'Group bamboo', + 'key' => 'ForcedCommand', + 'value' => '/bin/echo hello world', + 'target' => '/etc/ssh/sshd_config', + } + 'X11Forwarding' => { + 'ensure' => 'present', + 'key' => 'X11Forwarding', + 'value' => 'yes', + 'target' => '/etc/ssh/sshd_config', + } + 'DebianBanner' => { + 'ensure' => 'absent', + 'key' => 'DebianBanner', + 'target' => '/etc/ssh/sshd_config', + } + 'AllowGroups' => { + 'ensure' => 'present', + 'key' => 'AllowGroups', + 'value' => ['sshgroups','admins'], + 'target' => '/etc/ssh/sshd_config', + } + 'NoneField' => { + 'ensure' => 'absent', + 'key' => 'NoneField', + 'target' => '/etc/ssh/sshd_config', + } + + Note how the word "Match" is stripped away. + + ENDHEREDOC + + if args.length < 1 + raise Puppet::ParseError,("sshserver_options_to_augeas_sshd_config: expects at least one argument") + end + + options = args[0] + unless options.is_a?(Hash) + raise Puppet::ParseError,("sshserver_options_to_augeas_sshd_config: first argument must be a hash") + end + + options_absent = args[1] if args[1] + other_parameters = args[2] if args[2] + if options_absent + unless options_absent.is_a?(Array) or options_absent.is_a?(String) + raise Puppet::ParseError,("sshserver_options_to_augeas_sshd_config: second argument, if supplied, must be an array or a string") + end + end + if other_parameters + unless other_parameters.is_a?(Hash) + raise Puppet::ParseError,("sshserver_options_to_augeas_sshd_config: third argument, if supplied, must be a hash") + end + end + + options_final_augeas = {} + options.each do |key1,value1| + if value1.is_a?(Hash) + value1.each do |key2,value2| + options_final_augeas["#{key2} #{key1.gsub("Match ","")}"] = { 'ensure' => 'present' } + .merge({'condition' => key1.gsub("Match ","")}) + .merge({'key' => key2, 'value' => value2}) + .merge(other_parameters) + end + else + options_final_augeas[key1] = { 'ensure' => 'present' } + .merge({'key' => key1, 'value' => value1}) + .merge(other_parameters) + end + end + options_absent.each do |value| + options_final_augeas[value] = { 'ensure' => 'absent' }.merge({'key' => value}) + .merge(other_parameters) + end + return options_final_augeas + + end #newfunction +end #module diff --git a/manifests/client.pp b/manifests/client.pp index 812d6ec3..615f9c22 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,7 +1,9 @@ class ssh::client( $ensure = present, $storeconfigs_enabled = true, - $options = {} + $options = {}, + $use_augeas = false, + $options_absent = [], ) inherits ssh::params { # Merge hashes from multiple layer of hierarchy in hiera @@ -9,10 +11,15 @@ $fin_options = $hiera_options ? { undef => $options, + '' => $options, default => $hiera_options, } - $merged_options = merge($ssh::params::ssh_default_options, $fin_options) + if $use_augeas { + $merged_options = sshclient_options_to_augeas_ssh_config($fin_options, $options_absent, { 'target' => $::ssh::params::ssh_config }) + } else { + $merged_options = merge($ssh::params::ssh_default_options, $fin_options) + } include ssh::client::install include ssh::client::config diff --git a/manifests/client/config.pp b/manifests/client/config.pp index 2f8a5d8e..2c9c96c3 100644 --- a/manifests/client/config.pp +++ b/manifests/client/config.pp @@ -1,14 +1,21 @@ class ssh::client::config { $options = $::ssh::client::merged_options + $use_augeas = $::ssh::client::use_augeas - file { $ssh::params::ssh_config: - ensure => present, - owner => '0', - group => '0', - mode => '0644', - content => template("${module_name}/ssh_config.erb"), - require => Class['ssh::client::install'], + if $use_augeas { + + create_resources('ssh_config', $options) + + } else { + file { $ssh::params::ssh_config: + ensure => present, + owner => '0', + group => '0', + mode => '0644', + content => template("${module_name}/ssh_config.erb"), + require => Class['ssh::client::install'], + } } # Workaround for http://projects.reductivelabs.com/issues/2014 diff --git a/manifests/init.pp b/manifests/init.pp index 8f89ce5f..dd8c21ff 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,15 +1,20 @@ class ssh ( - $server_options = {}, - $client_options = {}, - $users_client_options = {}, - $version = 'present', - $storeconfigs_enabled = true + $server_options = {}, + $client_options = {}, + $users_client_options = {}, + $version = 'present', + $storeconfigs_enabled = true, + $use_augeas = false, + $server_options_absent = [], + $client_options_absent = [], ) inherits ssh::params { validate_hash($server_options) validate_hash($client_options) validate_hash($users_client_options) validate_bool($storeconfigs_enabled) + validate_bool($use_augeas) + validate_array($server_options_absent) # Merge hashes from multiple layer of hierarchy in hiera $hiera_server_options = hiera_hash("${module_name}::server_options", undef) @@ -35,12 +40,16 @@ ensure => $version, storeconfigs_enabled => $storeconfigs_enabled, options => $fin_server_options, + use_augeas => $use_augeas, + options_absent => $server_options_absent, } class { 'ssh::client': ensure => $version, storeconfigs_enabled => $storeconfigs_enabled, options => $fin_client_options, + use_augeas => $use_augeas, + options_absent => $client_options_absent, } create_resources('::ssh::client::config::user', $fin_users_client_options) diff --git a/manifests/server.pp b/manifests/server.pp index 14e40ac0..e4d4015c 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,7 +1,9 @@ class ssh::server( $ensure = present, $storeconfigs_enabled = true, - $options = {} + $options = {}, + $use_augeas = false, + $options_absent = [], ) inherits ssh::params { # Merge hashes from multiple layer of hierarchy in hiera @@ -13,7 +15,11 @@ default => $hiera_options, } - $merged_options = merge($ssh::params::sshd_default_options, $fin_options) + if $use_augeas { + $merged_options = sshserver_options_to_augeas_sshd_config($fin_options, $options_absent, { 'target' => $::ssh::params::sshd_config }) + } else { + $merged_options = merge($ssh::params::sshd_default_options, $fin_options) + } include ssh::server::install include ssh::server::config diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 8bb961bd..8c103d3c 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -1,16 +1,24 @@ class ssh::server::config { + $options = $::ssh::server::merged_options + $use_augeas = $::ssh::server::use_augeas - concat { $ssh::params::sshd_config: - ensure => present, - owner => '0', - group => '0', - mode => '0600', - notify => Service[$ssh::params::service_name] - } + if $use_augeas { + + create_resources('sshd_config', $options) + + } else { + concat { $ssh::params::sshd_config: + ensure => present, + owner => '0', + group => '0', + mode => '0600', + notify => Service[$ssh::params::service_name] + } - concat::fragment { 'global config': - target => $ssh::params::sshd_config, - content => template("${module_name}/sshd_config.erb"), - order => '00' + concat::fragment { 'global config': + target => $ssh::params::sshd_config, + content => template("${module_name}/sshd_config.erb"), + order => '00' + } } } diff --git a/manifests/server/match_block.pp b/manifests/server/match_block.pp index 1ff975ff..6762bc50 100644 --- a/manifests/server/match_block.pp +++ b/manifests/server/match_block.pp @@ -1,7 +1,12 @@ define ssh::server::match_block ($options, $type = 'user', $order = 50,) { - concat::fragment { "match_block ${name}": - target => $ssh::params::sshd_config, - content => template("${module_name}/sshd_match_block.erb"), - order => $order, + + if $::ssh::server::use_augeas { + fail("ssh::server::match_block() define not supported with use_augeas = true") + } else { + concat::fragment { "match_block ${name}": + target => $ssh::params::sshd_config, + content => template("${module_name}/sshd_match_block.erb"), + order => $order, + } } } From 55687f37ba41a08818efadc4da76c6cf145a3cf6 Mon Sep 17 00:00:00 2001 From: earsdown Date: Tue, 23 Jun 2015 17:23:07 +1000 Subject: [PATCH 002/246] Refactored for ruby 1.8.7 and make tests pass --- .../sshclient_options_to_augeas_ssh_config.rb | 13 ++++--------- .../sshserver_options_to_augeas_sshd_config.rb | 13 ++++--------- manifests/server/match_block.pp | 2 +- 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb b/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb index e3a2daf6..3daca4df 100644 --- a/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb +++ b/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb @@ -92,20 +92,15 @@ module Puppet::Parser::Functions options.each do |key1,value1| if value1.is_a?(Hash) value1.each do |key2,value2| - options_final_augeas["#{key2} #{key1.gsub("Host ","")}"] = { 'ensure' => 'present' } - .merge({'host' => key1.gsub("Host ","")}) - .merge({'key' => key2, 'value' => value2}) - .merge(other_parameters) + v = { 'ensure' => 'present' }.merge({'host' => key1.gsub("Host ","")}).merge({'key' => key2, 'value' => value2}) + options_final_augeas["#{key2} #{key1.gsub("Host ","")}"] = v.merge(other_parameters) end else - options_final_augeas[key1] = { 'ensure' => 'present' } - .merge({'key' => key1, 'value' => value1}) - .merge(other_parameters) + options_final_augeas[key1] = { 'ensure' => 'present' }.merge({'key' => key1, 'value' => value1}).merge(other_parameters) end end options_absent.each do |value| - options_final_augeas[value] = { 'ensure' => 'absent' }.merge({'key' => value}) - .merge(other_parameters) + options_final_augeas[value] = { 'ensure' => 'absent' }.merge({'key' => value}).merge(other_parameters) end return options_final_augeas diff --git a/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb b/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb index 92639c1e..30579c75 100644 --- a/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb +++ b/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb @@ -102,20 +102,15 @@ module Puppet::Parser::Functions options.each do |key1,value1| if value1.is_a?(Hash) value1.each do |key2,value2| - options_final_augeas["#{key2} #{key1.gsub("Match ","")}"] = { 'ensure' => 'present' } - .merge({'condition' => key1.gsub("Match ","")}) - .merge({'key' => key2, 'value' => value2}) - .merge(other_parameters) + v = { 'ensure' => 'present' }.merge({'condition' => key1.gsub("Match ","")}).merge({'key' => key2, 'value' => value2}) + options_final_augeas["#{key2} #{key1.gsub("Match ","")}"] = v.merge(other_parameters) end else - options_final_augeas[key1] = { 'ensure' => 'present' } - .merge({'key' => key1, 'value' => value1}) - .merge(other_parameters) + options_final_augeas[key1] = { 'ensure' => 'present' }.merge({'key' => key1, 'value' => value1}).merge(other_parameters) end end options_absent.each do |value| - options_final_augeas[value] = { 'ensure' => 'absent' }.merge({'key' => value}) - .merge(other_parameters) + options_final_augeas[value] = { 'ensure' => 'absent' }.merge({'key' => value}).merge(other_parameters) end return options_final_augeas diff --git a/manifests/server/match_block.pp b/manifests/server/match_block.pp index 6762bc50..abd40a85 100644 --- a/manifests/server/match_block.pp +++ b/manifests/server/match_block.pp @@ -1,7 +1,7 @@ define ssh::server::match_block ($options, $type = 'user', $order = 50,) { if $::ssh::server::use_augeas { - fail("ssh::server::match_block() define not supported with use_augeas = true") + fail('ssh::server::match_block() define not supported with use_augeas = true') } else { concat::fragment { "match_block ${name}": target => $ssh::params::sshd_config, From 97c8703c3ce18eb47a0bb5ea0f4892f8e7078995 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Thu, 8 Sep 2016 12:25:06 +0200 Subject: [PATCH 003/246] use old hash syntax in version fact, fixes #187 --- .rubocop.yml | 2 +- lib/facter/ssh_client_version.rb | 10 +++++----- lib/facter/ssh_server_version.rb | 10 +++++----- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.rubocop.yml b/.rubocop.yml index f3ceb943..f005b25c 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -36,7 +36,7 @@ Lint/LiteralInInterpolation: Enabled: true Style/HashSyntax: - Enabled: true + Enabled: false Style/RedundantReturn: Enabled: true diff --git a/lib/facter/ssh_client_version.rb b/lib/facter/ssh_client_version.rb index 4c4cd6ea..8cb0f719 100644 --- a/lib/facter/ssh_client_version.rb +++ b/lib/facter/ssh_client_version.rb @@ -1,5 +1,5 @@ Facter.add('ssh_client_version_full') do - confine kernel: %w(Linux SunOS FreeBSD Darwin) + confine :kernel => %w(Linux SunOS FreeBSD Darwin) setcode do version = Facter::Util::Resolution.exec('ssh -V 2>&1'). @@ -14,8 +14,8 @@ end Facter.add('ssh_client_version_major') do - confine kernel: %w(Linux SunOS FreeBSD Darwin) - confine ssh_client_version_full: true + confine :kernel => %w(Linux SunOS FreeBSD Darwin) + confine :ssh_client_version_full => true setcode do version = Facter.value('ssh_client_version_full') @@ -24,8 +24,8 @@ end Facter.add('ssh_client_version_release') do - confine kernel: %w(Linux SunOS FreeBSD Darwin) - confine ssh_client_version_full: true + confine :kernel => %w(Linux SunOS FreeBSD Darwin) + confine :ssh_client_version_full => true setcode do version = Facter.value('ssh_client_version_full') diff --git a/lib/facter/ssh_server_version.rb b/lib/facter/ssh_server_version.rb index 82005986..816e93f1 100644 --- a/lib/facter/ssh_server_version.rb +++ b/lib/facter/ssh_server_version.rb @@ -1,5 +1,5 @@ Facter.add('ssh_server_version_full') do - confine kernel: %w(Linux SunOS FreeBSD Darwin) + confine :kernel => %w(Linux SunOS FreeBSD Darwin) setcode do # sshd doesn't actually have a -V option (hopefully one will be added), @@ -17,8 +17,8 @@ end Facter.add('ssh_server_version_major') do - confine kernel: %w(Linux SunOS FreeBSD Darwin) - confine ssh_server_version_full: true + confine :kernel => %w(Linux SunOS FreeBSD Darwin) + confine :ssh_server_version_full => true setcode do version = Facter.value('ssh_server_version_full') @@ -27,8 +27,8 @@ end Facter.add('ssh_server_version_release') do - confine kernel: %w(Linux SunOS FreeBSD Darwin) - confine ssh_server_version_full: true + confine :kernel => %w(Linux SunOS FreeBSD Darwin) + confine :ssh_server_version_full => true setcode do version = Facter.value('ssh_server_version_full') From 8564a4b939b75dc560487acd87ad6f2258b6ff1a Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Thu, 8 Sep 2016 13:30:33 +0200 Subject: [PATCH 004/246] new release v2.9.1 --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index e12043e6..0495916a 100644 --- a/metadata.json +++ b/metadata.json @@ -42,7 +42,7 @@ } ], "name": "saz-ssh", - "version": "2.9.0", + "version": "2.9.1", "source": "git://github.com/saz/puppet-ssh.git", "author": "saz", "license": "Apache-2.0", From 39b376853bb13ab5e336777e4e31a1b5cad44a14 Mon Sep 17 00:00:00 2001 From: "Peter H. Ruegg" Date: Tue, 27 Jan 2015 13:24:24 +0100 Subject: [PATCH 005/246] Allow segregation of groups for hostkeys --- manifests/hostkeys.pp | 5 ++++- manifests/knownhosts.pp | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index e65a27e0..aec29f05 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -1,6 +1,7 @@ # Class ssh::hostkeys class ssh::hostkeys( - $export_ipaddresses = true + $export_ipaddresses = true, + $storeconfigs_group = undef, ) { if $export_ipaddresses == true { $ipaddresses = ipaddresses() @@ -9,6 +10,8 @@ $host_aliases = flatten([ $::fqdn, $::hostname ]) } + tag 'hostkey_all', "hostkey_${storeconfigs_group}" + if $::sshdsakey { @@sshkey { "${::fqdn}_dsa": ensure => present, diff --git a/manifests/knownhosts.pp b/manifests/knownhosts.pp index bea3a5d0..4a7c8ac5 100644 --- a/manifests/knownhosts.pp +++ b/manifests/knownhosts.pp @@ -1,11 +1,12 @@ class ssh::knownhosts( $collect_enabled = $ssh::params::collect_enabled, + $storeconfigs_group = undef, ) inherits ssh::params { if ($collect_enabled) { resources { 'sshkey': purge => true, } - Sshkey <<| |>> + Sshkey <<| tag == "hostkey_${storeconfigs_group}" |>> } } From 33c41c8d78d23b9e7745e2fbd2a5471042ee9b34 Mon Sep 17 00:00:00 2001 From: Tomas Theunissen Date: Tue, 11 Oct 2016 17:07:32 +0200 Subject: [PATCH 006/246] Use the 'defined' function to check if a variable is set Referencing variables that are not declared will fail when the 'strict_variables' setting is set to 'true'. --- manifests/hostkeys.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index e65a27e0..77ae9b68 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -9,7 +9,7 @@ $host_aliases = flatten([ $::fqdn, $::hostname ]) } - if $::sshdsakey { + if defined('$::sshdsakey') { @@sshkey { "${::fqdn}_dsa": ensure => present, host_aliases => $host_aliases, @@ -21,7 +21,7 @@ ensure => absent, } } - if $::sshrsakey { + if defined('$::sshrsakey') { @@sshkey { "${::fqdn}_rsa": ensure => present, host_aliases => $host_aliases, @@ -33,7 +33,7 @@ ensure => absent, } } - if $::sshecdsakey { + if defined('$::sshecdsakey') { @@sshkey { "${::fqdn}_ecdsa": ensure => present, host_aliases => $host_aliases, @@ -46,7 +46,7 @@ type => 'ecdsa-sha2-nistp256', } } - if $::sshed25519key { + if defined('$::sshed25519key') { @@sshkey { "${::fqdn}_ed25519": ensure => present, host_aliases => $host_aliases, From ae3d9f846fd493f5034e009e1478439e226f8a2b Mon Sep 17 00:00:00 2001 From: Chris Edester Date: Mon, 17 Oct 2016 13:34:33 -0700 Subject: [PATCH 007/246] Fixes #191 - Do not assume ssh and sshd are installed in facts --- lib/facter/ssh_client_version.rb | 20 +++++++++------- lib/facter/ssh_server_version.rb | 26 +++++++++++---------- spec/unit/facter/ssh_client_version_spec.rb | 1 + spec/unit/facter/ssh_server_version_spec.rb | 1 + 4 files changed, 27 insertions(+), 21 deletions(-) diff --git a/lib/facter/ssh_client_version.rb b/lib/facter/ssh_client_version.rb index 8cb0f719..71cb3c5e 100644 --- a/lib/facter/ssh_client_version.rb +++ b/lib/facter/ssh_client_version.rb @@ -2,14 +2,16 @@ confine :kernel => %w(Linux SunOS FreeBSD Darwin) setcode do - version = Facter::Util::Resolution.exec('ssh -V 2>&1'). - lines. - to_a. - select { |line| line.match(%r{^OpenSSH_}) }. - first. - rstrip + if Facter::Util::Resolution.which('ssh') + version = Facter::Util::Resolution.exec('ssh -V 2>&1'). + lines. + to_a. + select { |line| line.match(%r{^OpenSSH_}) }. + first. + rstrip - version.gsub(%r{^OpenSSH_([^ ]+).*$}, '\1') unless version.nil? + version.gsub(%r{^OpenSSH_([^ ]+).*$}, '\1') unless version.nil? + end end end @@ -19,7 +21,7 @@ setcode do version = Facter.value('ssh_client_version_full') - version.gsub(%r{^([0-9]+\.[0-9]+).*$}, '\1') + version.gsub(%r{^([0-9]+\.[0-9]+).*$}, '\1') unless version.nil? end end @@ -29,6 +31,6 @@ setcode do version = Facter.value('ssh_client_version_full') - version.gsub(%r{^([0-9]+\.[0-9]+(?:\.[0-9]+)?).*$}, '\1') + version.gsub(%r{^([0-9]+\.[0-9]+(?:\.[0-9]+)?).*$}, '\1') unless version.nil? end end diff --git a/lib/facter/ssh_server_version.rb b/lib/facter/ssh_server_version.rb index 816e93f1..616838c9 100644 --- a/lib/facter/ssh_server_version.rb +++ b/lib/facter/ssh_server_version.rb @@ -2,17 +2,19 @@ confine :kernel => %w(Linux SunOS FreeBSD Darwin) setcode do - # sshd doesn't actually have a -V option (hopefully one will be added), - # by happy coincidence the usage information that is printed includes the - # version number. - version = Facter::Util::Resolution.exec('sshd -V 2>&1'). - lines. - to_a. - select { |line| line.match(%r{^OpenSSH_}) }. - first. - rstrip + if Facter::Util::Resolution.which('sshd') + # sshd doesn't actually have a -V option (hopefully one will be added), + # by happy coincidence the usage information that is printed includes the + # version number. + version = Facter::Util::Resolution.exec('sshd -V 2>&1'). + lines. + to_a. + select { |line| line.match(%r{^OpenSSH_}) }. + first. + rstrip - version.gsub(%r{^OpenSSH_([^ ]+).*$}, '\1') unless version.nil? + version.gsub(%r{^OpenSSH_([^ ]+).*$}, '\1') unless version.nil? + end end end @@ -22,7 +24,7 @@ setcode do version = Facter.value('ssh_server_version_full') - version.gsub(%r{^([0-9]+\.[0-9]+).*$}, '\1') + version.gsub(%r{^([0-9]+\.[0-9]+).*$}, '\1') unless version.nil? end end @@ -32,6 +34,6 @@ setcode do version = Facter.value('ssh_server_version_full') - version.gsub(%r{^([0-9]+\.[0-9]+(?:\.[0-9]+)?).*$}, '\1') + version.gsub(%r{^([0-9]+\.[0-9]+(?:\.[0-9]+)?).*$}, '\1') unless version.nil? end end diff --git a/spec/unit/facter/ssh_client_version_spec.rb b/spec/unit/facter/ssh_client_version_spec.rb index d5ef3d14..ddd4b74f 100644 --- a/spec/unit/facter/ssh_client_version_spec.rb +++ b/spec/unit/facter/ssh_client_version_spec.rb @@ -6,6 +6,7 @@ end context 'on a Linux host' do before do + Facter::Util::Resolution.stubs(:which).with('ssh').returns('/usr/bin/ssh') Facter::Util::Resolution.stubs(:exec).with('ssh -V 2>&1').returns('OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014') end it 'execs ssh -V and returns full version number' do diff --git a/spec/unit/facter/ssh_server_version_spec.rb b/spec/unit/facter/ssh_server_version_spec.rb index f96bcd6f..73c9c897 100644 --- a/spec/unit/facter/ssh_server_version_spec.rb +++ b/spec/unit/facter/ssh_server_version_spec.rb @@ -6,6 +6,7 @@ end context 'on a Linux host' do before do + Facter::Util::Resolution.stubs(:which).with('sshd').returns('/usr/sbin/sshd') Facter::Util::Resolution.stubs(:exec).with('sshd -V 2>&1').returns('OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014') end it 'execs sshd -V' do From 377f0cb5b247fcfc3b5fae6b1f65fb1b6fade751 Mon Sep 17 00:00:00 2001 From: Chris Edester Date: Mon, 17 Oct 2016 13:46:32 -0700 Subject: [PATCH 008/246] puppet-strings rake tasks location change --- Rakefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Rakefile b/Rakefile index ec672404..9046301c 100644 --- a/Rakefile +++ b/Rakefile @@ -1,7 +1,7 @@ require 'puppetlabs_spec_helper/rake_tasks' require 'puppet_blacksmith/rake_tasks' require 'voxpupuli/release/rake_tasks' -require 'puppet-strings/rake_tasks' +require 'puppet-strings/tasks' if RUBY_VERSION >= '2.2.0' require 'rubocop/rake_task' From 2f3f588f3648a178134d52fa3af56cd666c6d194 Mon Sep 17 00:00:00 2001 From: juniorsysadmin Date: Sat, 31 Dec 2016 22:43:25 +1100 Subject: [PATCH 009/246] Support Puppet 4 in metadata.json, bump deps Bump dependencies to the minimum version that should work under Puppet 4, based on the metadata Remove deprecated pe field in metadata.json --- .fixtures.yml | 4 +--- metadata.json | 10 +++------- 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/.fixtures.yml b/.fixtures.yml index 0d939656..185f53b7 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,8 +1,6 @@ fixtures: repositories: stdlib: "https://github.com/puppetlabs/puppetlabs-stdlib" - concat: - repo: "https://github.com/puppetlabs/puppetlabs-concat" - ref: "1.2.0" + concat: "https://github.com/puppetlabs/puppetlabs-concat" symlinks: ssh: "#{source_dir}" diff --git a/metadata.json b/metadata.json index 0495916a..4c483585 100644 --- a/metadata.json +++ b/metadata.json @@ -32,13 +32,9 @@ } ], "requirements": [ - { - "name": "pe", - "version_requirement": "3.2.x" - }, { "name": "puppet", - "version_requirement": "3.x" + "version_requirement": ">= 3.0.0 < 5.0.0" } ], "name": "saz-ssh", @@ -52,11 +48,11 @@ "dependencies": [ { "name": "puppetlabs/stdlib", - "version_requirement": ">= 2.2.1" + "version_requirement": ">= 4.6.0 < 5.0.0" }, { "name": "puppetlabs/concat", - "version_requirement": ">= 1.0.0" + "version_requirement": ">= 1.2.5 < 3.0.0" } ] } From 2b2c88295c6d6f3bae170756f153b22dca9f1715 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 7 Jan 2017 20:48:03 +0100 Subject: [PATCH 010/246] remove puppet-strings from Rakefile --- Rakefile | 1 - 1 file changed, 1 deletion(-) diff --git a/Rakefile b/Rakefile index 9046301c..3bd6547a 100644 --- a/Rakefile +++ b/Rakefile @@ -1,7 +1,6 @@ require 'puppetlabs_spec_helper/rake_tasks' require 'puppet_blacksmith/rake_tasks' require 'voxpupuli/release/rake_tasks' -require 'puppet-strings/tasks' if RUBY_VERSION >= '2.2.0' require 'rubocop/rake_task' From a33452b5748b57d84632cad5f79b99736a722833 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 7 Jan 2017 21:04:21 +0100 Subject: [PATCH 011/246] fix spec tests failing due to concat usage --- spec/classes/server_spec.rb | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index 0c674b88..59f1b2df 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -94,13 +94,6 @@ it { should contain_class('ssh::params') } it { should contain_package('openssh-server').with_ensure(param_hash[:ensure]) } - it do - should contain_file('/etc/ssh/sshd_config').with( - 'owner' => 0, - 'group' => 0 - ) - end - it do should contain_service('ssh').with( 'ensure' => 'running', @@ -110,7 +103,6 @@ ) end - it { should contain_class('concat::setup') } it { should contain_concat('/etc/ssh/sshd_config') } it do should contain_concat__fragment('global config').with( @@ -156,13 +148,6 @@ ) end - it do - should contain_file('/etc/ssh/sshd_config').with( - 'owner' => 0, - 'group' => 0 - ) - end - it do should contain_service('sshd.service').with( 'ensure' => 'running', @@ -172,7 +157,6 @@ ) end - it { should contain_class('concat::setup') } it { should contain_concat('/etc/ssh/sshd_config') } it do should contain_concat__fragment('global config').with( From b70c66dee868674f402f1b7629828bb17b26aabf Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 7 Jan 2017 21:12:45 +0100 Subject: [PATCH 012/246] fix rubocop errors --- .rubocop.yml | 2 ++ spec/classes/client_spec.rb | 4 +-- spec/classes/init_spec.rb | 10 +++---- spec/classes/server_spec.rb | 22 +++++++------- spec/defines/client/config/user_spec.rb | 34 +++++++++++----------- spec/defines/server/config/setting_spec.rb | 8 ++--- 6 files changed, 41 insertions(+), 39 deletions(-) diff --git a/.rubocop.yml b/.rubocop.yml index f005b25c..c346ec94 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -504,3 +504,5 @@ RSpec/DescribeClass: RSpec/ExampleLength: Enabled: False +RSpec/NestedGroups: + MaxNesting: 5 diff --git a/spec/classes/client_spec.rb b/spec/classes/client_spec.rb index b0b9d4b5..500a855d 100644 --- a/spec/classes/client_spec.rb +++ b/spec/classes/client_spec.rb @@ -13,7 +13,7 @@ } end it do - should contain_package('openssh-client').with(ensure: 'present') + is_expected.to contain_package('openssh-client').with(ensure: 'present') end end context 'On Debian with custom ensure' do @@ -33,7 +33,7 @@ } end it do - should contain_package('openssh-client').with(ensure: 'latest') + is_expected.to contain_package('openssh-client').with(ensure: 'latest') end end end diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index ce791dfc..2da69b84 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -20,13 +20,13 @@ } end it do - should contain_class('ssh::client') + is_expected.to contain_class('ssh::client') end it do - should contain_class('ssh::server') + is_expected.to contain_class('ssh::server') end it do - should contain_concat('/etc/ssh/sshd_config').with_validate_cmd(nil) + is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd(nil) end context 'On Debian with the validate_sshd_file setting' do @@ -53,10 +53,10 @@ } end it do - should contain_class('ssh::client') + is_expected.to contain_class('ssh::client') end it do - should contain_concat('/etc/ssh/sshd_config').with_validate_cmd('/usr/sbin/sshd -tf %') + is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd('/usr/sbin/sshd -tf %') end end end diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index 59f1b2df..2f0a46d5 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -36,7 +36,7 @@ end it do - should contain_concat__fragment('global config').with( + is_expected.to contain_concat__fragment('global config').with( target: '/etc/ssh/sshd_config', content: '# File is managed by Puppet @@ -91,11 +91,11 @@ end describe "on supported osfamily: #{osfamily}" do - it { should contain_class('ssh::params') } - it { should contain_package('openssh-server').with_ensure(param_hash[:ensure]) } + it { is_expected.to contain_class('ssh::params') } + it { is_expected.to contain_package('openssh-server').with_ensure(param_hash[:ensure]) } it do - should contain_service('ssh').with( + is_expected.to contain_service('ssh').with( 'ensure' => 'running', 'enable' => true, 'hasrestart' => true, @@ -103,9 +103,9 @@ ) end - it { should contain_concat('/etc/ssh/sshd_config') } + it { is_expected.to contain_concat('/etc/ssh/sshd_config') } it do - should contain_concat__fragment('global config').with( + is_expected.to contain_concat__fragment('global config').with( target: '/etc/ssh/sshd_config', content: '# File is managed by Puppet @@ -140,16 +140,16 @@ } end - it { should contain_class('ssh::params') } + it { is_expected.to contain_class('ssh::params') } it do - should contain_package('openssh').with( + is_expected.to contain_package('openssh').with( ensure: param_hash[:ensure], name: 'openssh' ) end it do - should contain_service('sshd.service').with( + is_expected.to contain_service('sshd.service').with( 'ensure' => 'running', 'enable' => true, 'hasrestart' => true, @@ -157,9 +157,9 @@ ) end - it { should contain_concat('/etc/ssh/sshd_config') } + it { is_expected.to contain_concat('/etc/ssh/sshd_config') } it do - should contain_concat__fragment('global config').with( + is_expected.to contain_concat__fragment('global config').with( target: '/etc/ssh/sshd_config', content: '# File is managed by Puppet diff --git a/spec/defines/client/config/user_spec.rb b/spec/defines/client/config/user_spec.rb index 8fb37798..cd9beff0 100644 --- a/spec/defines/client/config/user_spec.rb +++ b/spec/defines/client/config/user_spec.rb @@ -41,7 +41,7 @@ it 'fails' do expect do - should compile + is_expected.to compile end.to raise_error(%r{#{value[1]}}) end end @@ -61,9 +61,9 @@ end it do - should contain_file(target).with(ensure: 'file', - owner: title, - mode: '0600') + is_expected.to contain_file(target).with(ensure: 'file', + owner: title, + mode: '0600') end end # describe 'with a user provided target' @@ -81,13 +81,13 @@ end it 'contains ssh directory and ssh config' do - should contain_file("#{user_home_dir}/.ssh").with(ensure: 'directory', - owner: title, - mode: '0700').that_comes_before("File[#{user_home_dir}/.ssh/config]") + is_expected.to contain_file("#{user_home_dir}/.ssh").with(ensure: 'directory', + owner: title, + mode: '0700').that_comes_before("File[#{user_home_dir}/.ssh/config]") - should contain_file("#{user_home_dir}/.ssh/config").with(ensure: 'file', - owner: title, - mode: '0600') + is_expected.to contain_file("#{user_home_dir}/.ssh/config").with(ensure: 'file', + owner: title, + mode: '0600') end end # context 'with manage_user_ssh_dir default value' @@ -100,15 +100,15 @@ end it do - should_not contain_file("#{user_home_dir}/.ssh") + is_expected.not_to contain_file("#{user_home_dir}/.ssh") end end # context 'with manage_user_ssh_dir set to false' end # context 'with a user provided user_home_dir' context 'with no user provided user_home_dir' do it 'with manage_user_ssh_dir default value' do - should contain_file("/home/#{title}/.ssh").that_comes_before("File[/home/#{title}/.ssh/config]") - should contain_file("/home/#{title}/.ssh/config") + is_expected.to contain_file("/home/#{title}/.ssh").that_comes_before("File[/home/#{title}/.ssh/config]") + is_expected.to contain_file("/home/#{title}/.ssh/config") end context 'with manage_user_ssh_dir set to false' do @@ -119,11 +119,11 @@ end it do - should_not contain_file("/home/#{title}/.ssh") + is_expected.not_to contain_file("/home/#{title}/.ssh") end it do - should contain_file("/home/#{title}/.ssh/config") + is_expected.to contain_file("/home/#{title}/.ssh/config") end end # context 'with manage_user_ssh_dir set to false' end # context 'with no user provided user_home_dir' @@ -137,11 +137,11 @@ end it 'has single value' do - should contain_file("/home/#{title}/.ssh/config").with(content: %r{HashKnownHosts\s+yes}) + is_expected.to contain_file("/home/#{title}/.ssh/config").with(content: %r{HashKnownHosts\s+yes}) end it 'has Hash value' do - should contain_file("/home/#{title}/.ssh/config").with(content: %r{Host \*\.in2p3\.fr\s*\n\s+GSSAPIAuthentication\s+no\s*\n\s+User\s+riton}) + is_expected.to contain_file("/home/#{title}/.ssh/config").with(content: %r{Host \*\.in2p3\.fr\s*\n\s+GSSAPIAuthentication\s+no\s*\n\s+User\s+riton}) end end end # describe 'with correct values' diff --git a/spec/defines/server/config/setting_spec.rb b/spec/defines/server/config/setting_spec.rb index aed8e483..e64ee1bc 100644 --- a/spec/defines/server/config/setting_spec.rb +++ b/spec/defines/server/config/setting_spec.rb @@ -29,7 +29,7 @@ end it do - should contain_concat__fragment('ssh_setting_something_AllowGroups').with_content(%r{\nAllowGroups group1 group2\n}) + is_expected.to contain_concat__fragment('ssh_setting_something_AllowGroups').with_content(%r{\nAllowGroups group1 group2\n}) end end @@ -42,7 +42,7 @@ end it do - should contain_concat__fragment('ssh_setting_something_Somesetting').with_content(%r{\nSomesetting yes\n}) + is_expected.to contain_concat__fragment('ssh_setting_something_Somesetting').with_content(%r{\nSomesetting yes\n}) end end @@ -55,7 +55,7 @@ end it do - should contain_concat__fragment('ssh_setting_something_Foo').with_content(%r{\nFoo 1 2\n}) + is_expected.to contain_concat__fragment('ssh_setting_something_Foo').with_content(%r{\nFoo 1 2\n}) end end @@ -71,7 +71,7 @@ it 'fails' do expect do - should compile + is_expected.to compile end.to raise_error(%r{Hash values are not supported}) end end From ab504563bd12b3ef5d60636ef65f328fb86a0420 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 7 Jan 2017 21:32:03 +0100 Subject: [PATCH 013/246] fix puppet lint errors --- Rakefile | 1 - manifests/server/config.pp | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/Rakefile b/Rakefile index 3bd6547a..5c10c3f5 100644 --- a/Rakefile +++ b/Rakefile @@ -11,7 +11,6 @@ if RUBY_VERSION >= '2.2.0' end end -PuppetLint.configuration.log_format = '%{path}:%{linenumber}:%{check}:%{KIND}:%{message}' PuppetLint.configuration.fail_on_warnings = true PuppetLint.configuration.send('relative') PuppetLint.configuration.send('disable_140chars') diff --git a/manifests/server/config.pp b/manifests/server/config.pp index f9b7a311..f70c0da7 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -19,13 +19,13 @@ group => '0', mode => '0600', validate_cmd => $sshd_validate_cmd, - notify => Service[$ssh::params::service_name] + notify => Service[$ssh::params::service_name], } concat::fragment { 'global config': target => $ssh::params::sshd_config, content => template("${module_name}/sshd_config.erb"), - order => '00' + order => '00', } } } From ba360d85ca8d07e2c192058f30dd76c25f2bc652 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 7 Jan 2017 21:39:53 +0100 Subject: [PATCH 014/246] fix rubocop issues --- .rubocop.yml | 3 + .../sshclient_options_to_augeas_ssh_config.rb | 71 +++++++++---------- ...sshserver_options_to_augeas_sshd_config.rb | 71 +++++++++---------- 3 files changed, 73 insertions(+), 72 deletions(-) diff --git a/.rubocop.yml b/.rubocop.yml index c346ec94..2743d41e 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -494,6 +494,9 @@ Lint/UselessAssignment: Style/ClosingParenthesisIndentation: Enabled: false +BlockLength: + Max: 70 + # RSpec # We don't use rspec in this way diff --git a/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb b/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb index 3daca4df..e4583991 100644 --- a/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb +++ b/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb @@ -24,7 +24,7 @@ module Puppet::Parser::Functions $options_final_augeas = sshclient_options_to_augeas_ssh_config($options, $options_absent, $other_parameters) In this case, the value of $options_final_augeas would be: - + 'ForwardAgent *.example.com' => { 'ensure' => 'present', 'host' => '*.example.com', @@ -66,43 +66,42 @@ module Puppet::Parser::Functions ENDHEREDOC - if args.length < 1 - raise Puppet::ParseError,("sshclient_options_to_augeas_ssh_config: expects at least one argument") - end - - options = args[0] - unless options.is_a?(Hash) - raise Puppet::ParseError,("sshclient_options_to_augeas_ssh_config: first argument must be a hash") - end + if args.empty? + raise Puppet::ParseError, 'sshclient_options_to_augeas_ssh_config: expects at least one argument' + end - options_absent = args[1] if args[1] - other_parameters = args[2] if args[2] - if options_absent - unless options_absent.is_a?(Array) or options_absent.is_a?(String) - raise Puppet::ParseError,("sshclient_options_to_augeas_ssh_config: second argument, if supplied, must be an array or a string") + options = args[0] + unless options.is_a?(Hash) + raise Puppet::ParseError, 'sshclient_options_to_augeas_ssh_config: first argument must be a hash' end - end - if other_parameters - unless other_parameters.is_a?(Hash) - raise Puppet::ParseError,("sshclient_options_to_augeas_ssh_config: third argument, if supplied, must be a hash") + + options_absent = args[1] if args[1] + other_parameters = args[2] if args[2] + if options_absent + unless options_absent.is_a?(Array) || options_absent.is_a?(String) + raise Puppet::ParseError, 'sshclient_options_to_augeas_ssh_config: second argument, if supplied, must be an array or a string' + end end - end - - options_final_augeas = {} - options.each do |key1,value1| - if value1.is_a?(Hash) - value1.each do |key2,value2| - v = { 'ensure' => 'present' }.merge({'host' => key1.gsub("Host ","")}).merge({'key' => key2, 'value' => value2}) - options_final_augeas["#{key2} #{key1.gsub("Host ","")}"] = v.merge(other_parameters) + if other_parameters + unless other_parameters.is_a?(Hash) + raise Puppet::ParseError, 'sshclient_options_to_augeas_ssh_config: third argument, if supplied, must be a hash' end - else - options_final_augeas[key1] = { 'ensure' => 'present' }.merge({'key' => key1, 'value' => value1}).merge(other_parameters) - end - end - options_absent.each do |value| - options_final_augeas[value] = { 'ensure' => 'absent' }.merge({'key' => value}).merge(other_parameters) - end - return options_final_augeas + end - end #newfunction -end #module + options_final_augeas = {} + options.each do |key1, value1| + if value1.is_a?(Hash) + value1.each do |key2, value2| + v = { 'ensure' => 'present' }.merge('host' => key1.gsub('Host ', '')).merge('key' => key2, 'value' => value2) + options_final_augeas["#{key2} #{key1.gsub('Host ', '')}"] = v.merge(other_parameters) + end + else + options_final_augeas[key1] = { 'ensure' => 'present' }.merge('key' => key1, 'value' => value1).merge(other_parameters) + end + end + options_absent.each do |value| + options_final_augeas[value] = { 'ensure' => 'absent' }.merge('key' => value).merge(other_parameters) + end + return options_final_augeas + end # newfunction +end # module diff --git a/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb b/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb index 30579c75..70db06a1 100644 --- a/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb +++ b/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb @@ -27,7 +27,7 @@ module Puppet::Parser::Functions $options_final_augeas = sshserver_options_to_augeas_sshd_config($options, $options_absent, $other_parameters) In this case, the value of $options_final_augeas would be: - + 'PasswordAuthentication User www-data' => { 'ensure' => 'present', 'condition' => 'User www-data', @@ -76,43 +76,42 @@ module Puppet::Parser::Functions ENDHEREDOC - if args.length < 1 - raise Puppet::ParseError,("sshserver_options_to_augeas_sshd_config: expects at least one argument") - end - - options = args[0] - unless options.is_a?(Hash) - raise Puppet::ParseError,("sshserver_options_to_augeas_sshd_config: first argument must be a hash") - end + if args.empty? + raise Puppet::ParseError, 'sshserver_options_to_augeas_sshd_config: expects at least one argument' + end - options_absent = args[1] if args[1] - other_parameters = args[2] if args[2] - if options_absent - unless options_absent.is_a?(Array) or options_absent.is_a?(String) - raise Puppet::ParseError,("sshserver_options_to_augeas_sshd_config: second argument, if supplied, must be an array or a string") + options = args[0] + unless options.is_a?(Hash) + raise Puppet::ParseError, 'sshserver_options_to_augeas_sshd_config: first argument must be a hash' end - end - if other_parameters - unless other_parameters.is_a?(Hash) - raise Puppet::ParseError,("sshserver_options_to_augeas_sshd_config: third argument, if supplied, must be a hash") + + options_absent = args[1] if args[1] + other_parameters = args[2] if args[2] + if options_absent + unless options_absent.is_a?(Array) || options_absent.is_a?(String) + raise Puppet::ParseError, 'sshserver_options_to_augeas_sshd_config: second argument, if supplied, must be an array or a string' + end end - end - - options_final_augeas = {} - options.each do |key1,value1| - if value1.is_a?(Hash) - value1.each do |key2,value2| - v = { 'ensure' => 'present' }.merge({'condition' => key1.gsub("Match ","")}).merge({'key' => key2, 'value' => value2}) - options_final_augeas["#{key2} #{key1.gsub("Match ","")}"] = v.merge(other_parameters) + if other_parameters + unless other_parameters.is_a?(Hash) + raise Puppet::ParseError, 'sshserver_options_to_augeas_sshd_config: third argument, if supplied, must be a hash' end - else - options_final_augeas[key1] = { 'ensure' => 'present' }.merge({'key' => key1, 'value' => value1}).merge(other_parameters) - end - end - options_absent.each do |value| - options_final_augeas[value] = { 'ensure' => 'absent' }.merge({'key' => value}).merge(other_parameters) - end - return options_final_augeas + end - end #newfunction -end #module + options_final_augeas = {} + options.each do |key1, value1| + if value1.is_a?(Hash) + value1.each do |key2, value2| + v = { 'ensure' => 'present' }.merge('condition' => key1.gsub('Match ', '')).merge('key' => key2, 'value' => value2) + options_final_augeas["#{key2} #{key1.gsub('Match ', '')}"] = v.merge(other_parameters) + end + else + options_final_augeas[key1] = { 'ensure' => 'present' }.merge('key' => key1, 'value' => value1).merge(other_parameters) + end + end + options_absent.each do |value| + options_final_augeas[value] = { 'ensure' => 'absent' }.merge('key' => value).merge(other_parameters) + end + return options_final_augeas + end # newfunction +end # module From 31ab3dc0b238ec4c1b77baf0e9b3b3cc4a6027da Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 7 Jan 2017 22:03:49 +0100 Subject: [PATCH 015/246] new release v3.0.0 --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 4c483585..700022c6 100644 --- a/metadata.json +++ b/metadata.json @@ -38,7 +38,7 @@ } ], "name": "saz-ssh", - "version": "2.9.1", + "version": "3.0.0", "source": "git://github.com/saz/puppet-ssh.git", "author": "saz", "license": "Apache-2.0", From dd817cf2745ee1f4196eb21f4814a098019de0a0 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 7 Jan 2017 22:16:45 +0100 Subject: [PATCH 016/246] prevent duplicate uploads to puppet forge --- .travis.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index f20707ea..bb3f6428 100644 --- a/.travis.yml +++ b/.travis.yml @@ -29,7 +29,7 @@ matrix: - rvm: 2.3.1 env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=rubocop - rvm: 2.3.1 - env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=test + env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=test FORGEDEPLOY=true notifications: email: false deploy: @@ -41,3 +41,4 @@ deploy: tags: true all_branches: true rvm: 2.3.1 + condition: "$FORGEDEPLOY = true" From ba2fb165321b37cbdd01dfa9146f072396554035 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 7 Jan 2017 22:17:20 +0100 Subject: [PATCH 017/246] new release v3.0.1 --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 700022c6..4eeec62c 100644 --- a/metadata.json +++ b/metadata.json @@ -38,7 +38,7 @@ } ], "name": "saz-ssh", - "version": "3.0.0", + "version": "3.0.1", "source": "git://github.com/saz/puppet-ssh.git", "author": "saz", "license": "Apache-2.0", From dbebaeba967cea8d330364b65696135823601e69 Mon Sep 17 00:00:00 2001 From: Marknl Date: Mon, 13 Feb 2017 10:41:02 +0100 Subject: [PATCH 018/246] Created issue.net.erb --- templates/issue.net.erb | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 templates/issue.net.erb diff --git a/templates/issue.net.erb b/templates/issue.net.erb new file mode 100644 index 00000000..fb8ef2ab --- /dev/null +++ b/templates/issue.net.erb @@ -0,0 +1,16 @@ + <%= @hostname %> +********* ****************************************** +* This system is a restricted resource and property. * +* Use your administrator assigned user-id to access. * +* Unauthorized use and/or misuse of this system and services may constitute * +* a breach of International criminal law, and could lead to legal * +* disciplinary actions. * +* * +* Individuals using this system without authority or in excess of their * +* authority are subject to having all their activities on this system * +* monitored and recorded or examined by any authorized person, including law * +* enforcement, as system personnel deem appropriate. * +* * +* LOG OFF IMMEDIATELY * +* * +******************************************************************************* From 082fea3220f357a0e8dbf75f02056b7cfe45309b Mon Sep 17 00:00:00 2001 From: Marknl Date: Mon, 13 Feb 2017 10:42:30 +0100 Subject: [PATCH 019/246] Added $issue_net parameter --- manifests/params.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/params.pp b/manifests/params.pp index 1a3386fc..9e821b54 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -202,4 +202,5 @@ $user_ssh_directory_default_mode = '0700' $user_ssh_config_default_mode = '0600' $collect_enabled = true # Collect sshkey resources + $issue_net = '/etc/issue.net' } From beb8c07fc4e983498c8caafa255c60b0298a862d Mon Sep 17 00:00:00 2001 From: Marknl Date: Mon, 13 Feb 2017 10:52:25 +0100 Subject: [PATCH 020/246] Added issue.net placement --- manifests/server/config.pp | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/manifests/server/config.pp b/manifests/server/config.pp index f70c0da7..6cda5fd7 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -28,4 +28,16 @@ order => '00', } } + + if $::ssh::server::use_isse_net { + file { $ssh::params::issue_net: + ensure => present, + owner => 0, + group => 0, + mode => '0644', + content => template("${module_name}/issue.net.erb"), + require => Class['ssh::server::install'], + notify => Service[$ssh::params::service_name], + } + } } From 46a9d9a2ba6437025eaa0360307385e89b8eb3f3 Mon Sep 17 00:00:00 2001 From: Marknl Date: Mon, 13 Feb 2017 10:53:34 +0100 Subject: [PATCH 021/246] Added use_isse_net parameter --- manifests/server.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/server.pp b/manifests/server.pp index c1459433..79cf0ff3 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -5,6 +5,7 @@ $validate_sshd_file = false, $use_augeas = false, $options_absent = [], + $use_isse_net = false, ) inherits ssh::params { # Merge hashes from multiple layer of hierarchy in hiera From 89e2d01f4d1cd3ece4d16b737b22e7785dd5652b Mon Sep 17 00:00:00 2001 From: Marknl Date: Mon, 13 Feb 2017 10:54:01 +0100 Subject: [PATCH 022/246] Update server.pp --- manifests/server.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server.pp b/manifests/server.pp index 79cf0ff3..2556b42b 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -5,7 +5,7 @@ $validate_sshd_file = false, $use_augeas = false, $options_absent = [], - $use_isse_net = false, + $use_issue_net = false, ) inherits ssh::params { # Merge hashes from multiple layer of hierarchy in hiera From 34525eb5e45918df3ffa983b76b3e150fcade338 Mon Sep 17 00:00:00 2001 From: Marknl Date: Mon, 13 Feb 2017 10:54:19 +0100 Subject: [PATCH 023/246] Update config.pp --- manifests/server/config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 6cda5fd7..28cc67ac 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -29,7 +29,7 @@ } } - if $::ssh::server::use_isse_net { + if $::ssh::server::use_issue_net { file { $ssh::params::issue_net: ensure => present, owner => 0, From 75cef5e02e8238cfbcb128d2c3f0a12d5f70f21a Mon Sep 17 00:00:00 2001 From: Marknl Date: Mon, 13 Feb 2017 11:48:22 +0100 Subject: [PATCH 024/246] Added $use_issue_net parameter Feed param to ::ssh::server --- manifests/init.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index f2358d20..3e3419c2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -10,6 +10,7 @@ $use_augeas = false, $server_options_absent = [], $client_options_absent = [], + $use_issue_net = false, ) inherits ssh::params { validate_hash($server_options) @@ -59,6 +60,7 @@ validate_sshd_file => $validate_sshd_file, use_augeas => $use_augeas, options_absent => $server_options_absent, + use_issue_net => $use_issue_net, } class { '::ssh::client': From 7edb80b99913be560e5e664588311c50854c2948 Mon Sep 17 00:00:00 2001 From: Marknl Date: Mon, 13 Feb 2017 11:48:54 +0100 Subject: [PATCH 025/246] Added bool validation for new parameter. --- manifests/init.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/init.pp b/manifests/init.pp index 3e3419c2..02644405 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -22,6 +22,7 @@ validate_bool($use_augeas) validate_array($server_options_absent) validate_array($client_options_absent) + validate_bool($use_issue_net) # Merge hashes from multiple layer of hierarchy in hiera $hiera_server_options = hiera_hash("${module_name}::server_options", undef) From f0b85a1f368acfe0785990f42a005df77be1e9ec Mon Sep 17 00:00:00 2001 From: Marknl Date: Mon, 13 Feb 2017 11:56:15 +0100 Subject: [PATCH 026/246] Removed required for file --- manifests/server/config.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 28cc67ac..e9801f36 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -36,7 +36,6 @@ group => 0, mode => '0644', content => template("${module_name}/issue.net.erb"), - require => Class['ssh::server::install'], notify => Service[$ssh::params::service_name], } } From c13b1a8acf49c5747aefb8141185066170d0cfd4 Mon Sep 17 00:00:00 2001 From: Marknl Date: Mon, 13 Feb 2017 12:23:46 +0100 Subject: [PATCH 027/246] Add Banner setting in sshd_config --- manifests/server/config.pp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/manifests/server/config.pp b/manifests/server/config.pp index e9801f36..effebd47 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -38,5 +38,11 @@ content => template("${module_name}/issue.net.erb"), notify => Service[$ssh::params::service_name], } + + concat::fragment { "banner file": + target => $ssh::params::sshd_config, + content => "Banner ${ssh::params::issue_net}\n", + order => 01, + } } } From 98f2b44cc4a0a7d9d4e4fec466b78d0ed21a08c8 Mon Sep 17 00:00:00 2001 From: Marknl Date: Mon, 13 Feb 2017 12:28:49 +0100 Subject: [PATCH 028/246] Fixes for TravisCI --- manifests/server/config.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/server/config.pp b/manifests/server/config.pp index effebd47..4be65ae1 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -28,7 +28,7 @@ order => '00', } } - + if $::ssh::server::use_issue_net { file { $ssh::params::issue_net: ensure => present, @@ -39,10 +39,10 @@ notify => Service[$ssh::params::service_name], } - concat::fragment { "banner file": + concat::fragment { 'banner file': target => $ssh::params::sshd_config, content => "Banner ${ssh::params::issue_net}\n", - order => 01, + order => '01', } } } From 79a140b285e3d2cc91661caf58eb89f96d5aa68f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20F=C3=BChricht?= Date: Thu, 16 Feb 2017 00:22:58 +0000 Subject: [PATCH 029/246] adds support for managing certificates for ssh keys --- manifests/server/host_key.pp | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/manifests/server/host_key.pp b/manifests/server/host_key.pp index a8960684..9bd6c6be 100644 --- a/manifests/server/host_key.pp +++ b/manifests/server/host_key.pp @@ -28,12 +28,22 @@ # Sets the content for the private key file. # Note private_key_source and private_key_content are mutually exclusive. # +# [*certificate_source*] +# Sets the content of the source parameter for the host key certificate. +# Note certificate_source and certificate_content are mutually exclusive. +# +# [*certificate_content*] +# Sets the content for the host key certificate. +# Note certificate_source and certificate_content are mutually exclusive. +# define ssh::server::host_key ( $ensure = 'present', $public_key_source = '', $public_key_content = '', $private_key_source = '', $private_key_content = '', + $certificate_source = '', + $certificate_content = '', ) { if $public_key_source == '' and $public_key_content == '' { fail('You must provide either public_key_source or public_key_content parameter') @@ -60,6 +70,15 @@ default => $private_key_source, } + $manage_cert_content = $certificate_source ? { + '' => $certificate_content, + default => undef, + } + $manage_cert_source = $certificate_source ? { + '' => undef, + default => $certificate_source, + } + file {"${name}_pub": ensure => $ensure, owner => 'root', @@ -81,4 +100,17 @@ content => $manage_priv_key_content, notify => Class['ssh::server::service'], } + + if !empty($certificate_source) or !empty($certificate_content) { + file {"${name}_cert": + ensure => $ensure, + owner => 'root', + group => 'root', + mode => '0644', + path => "${::ssh::params::sshd_dir}/${name}-cert.pub", + source => $manage_cert_source, + content => $manage_cert_content, + notify => Class['ssh::server::service'], + } + } } From 3be1a603f947bddb18354cc7bc42ee4eb29abb07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20F=C3=BChricht?= Date: Thu, 16 Feb 2017 00:23:51 +0000 Subject: [PATCH 030/246] adds unit tests for ssh::server::host_key type --- spec/defines/server/host_key_spec.rb | 174 +++++++++++++++++++++++++++ 1 file changed, 174 insertions(+) create mode 100644 spec/defines/server/host_key_spec.rb diff --git a/spec/defines/server/host_key_spec.rb b/spec/defines/server/host_key_spec.rb new file mode 100644 index 00000000..262cfacf --- /dev/null +++ b/spec/defines/server/host_key_spec.rb @@ -0,0 +1,174 @@ +require 'spec_helper' + +describe 'ssh::server::host_key', type: :define do + let :title do + 'something' + end + + let(:pre_condition) { 'class {"::ssh::params": }' } + + let :facts do + { + osfamily: 'RedHat', + concat_basedir: '/tmp', + puppetversion: '3.7.0', + sshdsakey: 'AAAAB3NzaC1kc3MAAACBAODCvvUUnv2imW4cfuLBWVJTLMzds89MtCUXGl3+7Gza5QYJmp7GSkKBnV8+7XI+JAmjv0RKQM1RAn7mV5UplRTtg3CYbeNkX4IakZmNJLTdL4vUyIehhaxBobpOtBaJfFewCJE1plIaWvoWfEDrShcjIUbUbJMfR8YWweIIqp9bAAAAFQCr8+KRfOUZbS9Dz1t15A/Owl61VQAAAIBr/7hNPCvjzAl5+rde6jUR5k20pxAE+z2wsaZxlhrs6ZhhplyCKIXKq4rCx4QuFVPh/c+WJRPO56iH/rSh5Y5cpT1LUk66wNJcOBPprjvDEHfQUHUmfYXzNJ2BHkRL78lfzQr52YyowV6dHfktv0VsIctm13KcMr2KQygZtV6EqgAAAIEAjNC4PRdzYpWfxu268CJDpexlhBwIkIx+ovEibtYeke55qAQcF9UWko4A1c8Wf4nLLxlQYCf501Bt5lb6GmZd0xfpg27fPIfzZPL8o+E756D3ZcNXUaLj4HPRKnwNcdAtChL2jESH3fm8PyNwBI7tV6IOjmOGpyQKtmJq3IyNgms=', + sshrsakey: 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDzA57hAMwz6pywCgxNUcloWeNMvBo2PDPxK2RCegst+9tYaf4S3shnM9a1j2PGBoeRXTuUG6mYB32fJm6/37UUUJA4lT+8CZ3hNnDZU9aitpukkKon7RIlvY1PWO8wT4A5mEa0hfdQg6Um8KZZUs+jrB+8zMJO/X0fmleY54r/JKrP3hNcpaJpTUVQEvMmKacW7nYez/PvWKAz8d02uAOXuauGKhZ9K2AHYKlQFqJ4S1jLiduoGFWxFQ2vQybbN/O0PQQU7EZlHIjSzwoowZLzlxCKCZcKnoDsbGCtYHArbjxTb+m5e7nvsamz7TXLoY90Srmc5QGMxrLUlSvkYsm5', + sshecdsakey: 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDrof0LPA0hGuwODy+5uTynV7rgPJspvZo2TzykBu5mSANJvdL1z5/JS3x16/c/cDjx2lfEkRoVDnon4/NjKEM=', + sshed25519key: '', + id: 'root', + is_pe: false, + path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games' + } + end + + describe 'with public_key_content, private_key_content and certificate_content' do + let :params do + { + public_key_content: 'abc', + private_key_content: 'bcd', + certificate_content: 'cde', + } + end + + it do + is_expected.to contain_file('something_pub') + .with_content('abc') + .with_ensure('present') + .with_owner('root') + .with_group('root') + .with_mode('0644') + .with_path('/etc/ssh/something.pub') + is_expected.to contain_file('something_priv') + .with_content('bcd') + .with_ensure('present') + .with_owner('root') + .with_group('root') + .with_mode('0600') + .with_path('/etc/ssh/something') + is_expected.to contain_file('something_cert') + .with_content('cde') + .with_ensure('present') + .with_owner('root') + .with_group('root') + .with_mode('0644') + .with_path('/etc/ssh/something-cert.pub') + end + end + + describe 'with public_key_content and private_key_content' do + let :params do + { + public_key_content: 'abc', + private_key_content: 'bcd', + } + end + + it do + is_expected.to contain_file('something_pub') + .with_content('abc') + .with_ensure('present') + .with_owner('root') + .with_group('root') + .with_mode('0644') + .with_path('/etc/ssh/something.pub') + is_expected.to contain_file('something_priv') + .with_content('bcd') + .with_ensure('present') + .with_owner('root') + .with_group('root') + .with_mode('0600') + .with_path('/etc/ssh/something') + is_expected.not_to contain_file('something_cert') + end + end + + describe 'with *_key_content and *_key_source, *_key_source takes precedence' do + let :params do + { + public_key_content: 'abc', + public_key_source: 'a', + private_key_content: 'bcd', + private_key_source: 'b', + } + end + + it do + is_expected.to contain_file('something_pub') + .without_content() + .with_source('a') + .with_ensure('present') + .with_owner('root') + .with_group('root') + .with_mode('0644') + .with_path('/etc/ssh/something.pub') + is_expected.to contain_file('something_priv') + .without_content() + .with_source('b') + .with_ensure('present') + .with_owner('root') + .with_group('root') + .with_mode('0600') + .with_path('/etc/ssh/something') + is_expected.not_to contain_file('something_cert') + end + end + + describe 'with private_key_content and no public_key_content' do + let :params do + { + private_key_content: 'bcd', + } + end + + it 'fails' do + expect do + is_expected.to compile + end.to raise_error(%r{You must provide either public_key_source or public_key_content parameter}) + end + end + + describe 'with public_key_content and no private_key_content' do + let :params do + { + public_key_content: 'abc', + } + end + + it 'fails' do + expect do + is_expected.to compile + end.to raise_error(%r{You must provide either private_key_source or private_key_content parameter}) + end + end + + describe 'with private_key_source and no public_key_source' do + let :params do + { + private_key_source: 'bcd', + } + end + + it 'fails' do + expect do + is_expected.to compile + end.to raise_error(%r{You must provide either public_key_source or public_key_content parameter}) + end + end + + describe 'with public_key_source and no private_key_source' do + let :params do + { + public_key_source: 'abc', + } + end + + it 'fails' do + expect do + is_expected.to compile + end.to raise_error(%r{You must provide either private_key_source or private_key_content parameter}) + end + end +end + +# vim: tabstop=2 shiftwidth=2 softtabstop=2 From ac88e9883c6534660e449cda83cb8c1c99c8218b Mon Sep 17 00:00:00 2001 From: Peter Souter Date: Mon, 20 Mar 2017 12:14:45 +0000 Subject: [PATCH 031/246] Fixes issue with fact on different version strings * ssh versions can in the format `7.2p2` * Update the fact regex and add unit test for this * Clears facter runs to fix tests * Changes confines to check for a regex of a digit * The confine before was for truth: this would not work as the values are strings, not booleans --- lib/facter/ssh_client_version.rb | 2 - lib/facter/ssh_server_version.rb | 14 +++++-- spec/unit/facter/ssh_client_version_spec.rb | 1 + .../facter/ssh_server_version_major_spec.rb | 41 +++++++++++++++++++ spec/unit/facter/ssh_server_version_spec.rb | 1 + 5 files changed, 54 insertions(+), 5 deletions(-) create mode 100644 spec/unit/facter/ssh_server_version_major_spec.rb diff --git a/lib/facter/ssh_client_version.rb b/lib/facter/ssh_client_version.rb index 71cb3c5e..5e62e706 100644 --- a/lib/facter/ssh_client_version.rb +++ b/lib/facter/ssh_client_version.rb @@ -17,7 +17,6 @@ Facter.add('ssh_client_version_major') do confine :kernel => %w(Linux SunOS FreeBSD Darwin) - confine :ssh_client_version_full => true setcode do version = Facter.value('ssh_client_version_full') @@ -27,7 +26,6 @@ Facter.add('ssh_client_version_release') do confine :kernel => %w(Linux SunOS FreeBSD Darwin) - confine :ssh_client_version_full => true setcode do version = Facter.value('ssh_client_version_full') diff --git a/lib/facter/ssh_server_version.rb b/lib/facter/ssh_server_version.rb index 616838c9..10c3f06b 100644 --- a/lib/facter/ssh_server_version.rb +++ b/lib/facter/ssh_server_version.rb @@ -20,17 +20,25 @@ Facter.add('ssh_server_version_major') do confine :kernel => %w(Linux SunOS FreeBSD Darwin) - confine :ssh_server_version_full => true + confine :ssh_server_version_full => /\d+/ setcode do version = Facter.value('ssh_server_version_full') - version.gsub(%r{^([0-9]+\.[0-9]+).*$}, '\1') unless version.nil? + case version + when /([0-9]+)\.([0-9]+)\.([0-9]+p[0-9]+)/ + # 6.6.1p1 style formatting + version.gsub(%r{([0-9]+)\.([0-9]+)\.([0-9]+p[0-9]+)}, '\1') + when /^([0-9]+)\.([0-9]+p[0-9]+)/ + # 7.2p2 style formatting + version.gsub(%r{^([0-9]+)\.([0-9]+p[0-9]+)}, '\1') + end + end end Facter.add('ssh_server_version_release') do confine :kernel => %w(Linux SunOS FreeBSD Darwin) - confine :ssh_server_version_full => true + confine :ssh_server_version_full => /\d+/ setcode do version = Facter.value('ssh_server_version_full') diff --git a/spec/unit/facter/ssh_client_version_spec.rb b/spec/unit/facter/ssh_client_version_spec.rb index ddd4b74f..32e40ec7 100644 --- a/spec/unit/facter/ssh_client_version_spec.rb +++ b/spec/unit/facter/ssh_client_version_spec.rb @@ -2,6 +2,7 @@ describe 'ssh_client_version_full' do before do + Facter.clear Facter.fact(:kernel).stubs(:value).returns('linux') end context 'on a Linux host' do diff --git a/spec/unit/facter/ssh_server_version_major_spec.rb b/spec/unit/facter/ssh_server_version_major_spec.rb new file mode 100644 index 00000000..c783f377 --- /dev/null +++ b/spec/unit/facter/ssh_server_version_major_spec.rb @@ -0,0 +1,41 @@ +require "spec_helper" + +describe Facter::Util::Fact do + before do + Facter.clear + Facter.fact(:kernel).stubs(:value).returns('linux') + end + + describe "ssh_server_version_major" do + context '3 point semver syntax (6.6.1p1)' do + context 'returns major version when ssh_server_version_full fact present' do + before :each do + Facter.fact(:ssh_server_version_full).stubs(:value).returns('6.6.1p1') + end + it do + expect(Facter.fact(:ssh_server_version_major).value).to eq("6") + end + end + end + + context '2 point semver syntax (7.2p2)' do + context 'returns major version when ssh_server_version_full fact present' do + before :each do + Facter.fact(:ssh_server_version_full).stubs(:value).returns('7.2p2') + end + it do + expect(Facter.fact(:ssh_server_version_major).value).to eq("7") + end + end + end + + context 'returns nil when ssh_server_version_full fact not present' do + before :each do + Facter.fact(:ssh_server_version_full).stubs(:value).returns(nil) + end + it do + expect(Facter.fact(:ssh_server_version_major).value).to be_nil + end + end + end +end diff --git a/spec/unit/facter/ssh_server_version_spec.rb b/spec/unit/facter/ssh_server_version_spec.rb index 73c9c897..d86d824d 100644 --- a/spec/unit/facter/ssh_server_version_spec.rb +++ b/spec/unit/facter/ssh_server_version_spec.rb @@ -2,6 +2,7 @@ describe 'ssh_server_version_full' do before do + Facter.clear Facter.fact(:kernel).stubs(:value).returns('linux') end context 'on a Linux host' do From f7f835b44eb82d5c5f7f808b03f31c9c9bead0c2 Mon Sep 17 00:00:00 2001 From: Shannon Carver Date: Thu, 23 Mar 2017 17:00:15 +0800 Subject: [PATCH 032/246] Allowing the ssh::server::match_block: options to be sent in the same way ssh:server::options can be set (when using 'include ssh::server' and not including the entire ssh class). Options worked fine, but match block was missing See saz/puppet-ssh#194 for better explanation --- manifests/server.pp | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/manifests/server.pp b/manifests/server.pp index c1459433..db16d31d 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -5,10 +5,20 @@ $validate_sshd_file = false, $use_augeas = false, $options_absent = [], + $match_block = {}, ) inherits ssh::params { + validate_hash($match_block) + # Merge hashes from multiple layer of hierarchy in hiera $hiera_options = hiera_hash("${module_name}::server::options", undef) + $hiera_match_block = hiera_hash("${module_name}::server::match_block", undef) + + $fin_match_block = $hiera_match_block ? { + undef => $match_block, + '' => $match_block, + default => $hiera_match_block, + } $fin_options = $hiera_options ? { undef => $options, @@ -49,4 +59,6 @@ Class['ssh::server::service'] -> Anchor['ssh::server::end'] } + + create_resources('::ssh::server::match_block', $fin_match_block) } From de3606a523d9c3a66937a663c065fe7b4e2b5808 Mon Sep 17 00:00:00 2001 From: Zach Crownover Date: Thu, 6 Apr 2017 06:18:13 +0000 Subject: [PATCH 033/246] Add DragonFly BSD support by copying what's used for FreeBSD --- lib/facter/ssh_client_version.rb | 6 +++--- lib/facter/ssh_server_version.rb | 6 +++--- manifests/params.pp | 2 +- metadata.json | 3 +++ 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/lib/facter/ssh_client_version.rb b/lib/facter/ssh_client_version.rb index 71cb3c5e..8145226c 100644 --- a/lib/facter/ssh_client_version.rb +++ b/lib/facter/ssh_client_version.rb @@ -1,5 +1,5 @@ Facter.add('ssh_client_version_full') do - confine :kernel => %w(Linux SunOS FreeBSD Darwin) + confine :kernel => %w(Linux SunOS FreeBSD DragonFly Darwin) setcode do if Facter::Util::Resolution.which('ssh') @@ -16,7 +16,7 @@ end Facter.add('ssh_client_version_major') do - confine :kernel => %w(Linux SunOS FreeBSD Darwin) + confine :kernel => %w(Linux SunOS FreeBSD DragonFly Darwin) confine :ssh_client_version_full => true setcode do version = Facter.value('ssh_client_version_full') @@ -26,7 +26,7 @@ end Facter.add('ssh_client_version_release') do - confine :kernel => %w(Linux SunOS FreeBSD Darwin) + confine :kernel => %w(Linux SunOS FreeBSD DragonFly Darwin) confine :ssh_client_version_full => true setcode do version = Facter.value('ssh_client_version_full') diff --git a/lib/facter/ssh_server_version.rb b/lib/facter/ssh_server_version.rb index 616838c9..2a3709b6 100644 --- a/lib/facter/ssh_server_version.rb +++ b/lib/facter/ssh_server_version.rb @@ -1,5 +1,5 @@ Facter.add('ssh_server_version_full') do - confine :kernel => %w(Linux SunOS FreeBSD Darwin) + confine :kernel => %w(Linux SunOS FreeBSD DragonFly Darwin) setcode do if Facter::Util::Resolution.which('sshd') @@ -19,7 +19,7 @@ end Facter.add('ssh_server_version_major') do - confine :kernel => %w(Linux SunOS FreeBSD Darwin) + confine :kernel => %w(Linux SunOS FreeBSD DragonFly Darwin) confine :ssh_server_version_full => true setcode do version = Facter.value('ssh_server_version_full') @@ -29,7 +29,7 @@ end Facter.add('ssh_server_version_release') do - confine :kernel => %w(Linux SunOS FreeBSD Darwin) + confine :kernel => %w(Linux SunOS FreeBSD DragonFly Darwin) confine :ssh_server_version_full => true setcode do version = Facter.value('ssh_server_version_full') diff --git a/manifests/params.pp b/manifests/params.pp index 1a3386fc..4097ff66 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -20,7 +20,7 @@ $service_name = 'sshd' $sftp_server_path = '/usr/libexec/openssh/sftp-server' } - 'FreeBSD': { + 'FreeBSD', 'DragonFly': { $server_package_name = undef $client_package_name = undef $sshd_dir = '/etc/ssh' diff --git a/metadata.json b/metadata.json index 4eeec62c..d43caad6 100644 --- a/metadata.json +++ b/metadata.json @@ -21,6 +21,9 @@ { "operatingsystem": "FreeBSD" }, + { + "operatingsystem": "DragonFly" + }, { "operatingsystem": "OpenBSD" }, From 209291d01e2d40745acf576ceea0cac46d7c6642 Mon Sep 17 00:00:00 2001 From: Leo Antunes Date: Fri, 5 May 2017 12:23:46 +0200 Subject: [PATCH 034/246] add way to add host aliases to the exported sshkeys --- manifests/hostkeys.pp | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index 264a885e..1a07c7e0 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -2,12 +2,15 @@ class ssh::hostkeys( $export_ipaddresses = true, $storeconfigs_group = undef, + $extra_aliases = [], ) { + validate_array($extra_aliases) + if $export_ipaddresses == true { $ipaddresses = ipaddresses() - $host_aliases = flatten([ $::fqdn, $::hostname, $ipaddresses ]) + $host_aliases = flatten([ $::fqdn, $::hostname, $extra_aliases, $ipaddresses ]) } else { - $host_aliases = flatten([ $::fqdn, $::hostname ]) + $host_aliases = flatten([ $::fqdn, $::hostname, $extra_aliases]) } if $storeconfigs_group { From d46c70ae3da1da60654cf7032b38716c26d5e450 Mon Sep 17 00:00:00 2001 From: Leo Antunes Date: Fri, 5 May 2017 14:18:49 +0200 Subject: [PATCH 035/246] update rubocop config --- .rubocop.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.rubocop.yml b/.rubocop.yml index 2743d41e..0696a493 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -298,7 +298,7 @@ Style/EmptyLiteral: Metrics/LineLength: Enabled: false -Style/MethodCallParentheses: +Style/MethodCallWithoutArgsParentheses: Enabled: true Style/MethodDefParentheses: @@ -495,7 +495,7 @@ Style/ClosingParenthesisIndentation: Enabled: false BlockLength: - Max: 70 + Max: 70 # RSpec @@ -508,4 +508,4 @@ RSpec/ExampleLength: Enabled: False RSpec/NestedGroups: - MaxNesting: 5 + Max: 5 From 9bf4d1af771c2899929d65b1df00e78ecd1720f4 Mon Sep 17 00:00:00 2001 From: Leo Antunes Date: Fri, 5 May 2017 14:48:42 +0200 Subject: [PATCH 036/246] rearrange arrows to appease linter --- manifests/client.pp | 18 +++++++++--------- manifests/server.pp | 24 ++++++++++++------------ 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index 7129a89d..5a2a3c8f 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -32,15 +32,15 @@ if ($storeconfigs_enabled) { include ::ssh::knownhosts - Anchor['ssh::client::start'] -> - Class['ssh::client::install'] -> - Class['ssh::client::config'] -> - Class['ssh::knownhosts'] -> - Anchor['ssh::client::end'] + Anchor['ssh::client::start'] + -> Class['ssh::client::install'] + -> Class['ssh::client::config'] + -> Class['ssh::knownhosts'] + -> Anchor['ssh::client::end'] } else { - Anchor['ssh::client::start'] -> - Class['ssh::client::install'] -> - Class['ssh::client::config'] -> - Anchor['ssh::client::end'] + Anchor['ssh::client::start'] + -> Class['ssh::client::install'] + -> Class['ssh::client::config'] + -> Anchor['ssh::client::end'] } } diff --git a/manifests/server.pp b/manifests/server.pp index c1459433..42695eca 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -35,18 +35,18 @@ include ::ssh::hostkeys include ::ssh::knownhosts - Anchor['ssh::server::start'] -> - Class['ssh::server::install'] -> - Class['ssh::server::config'] ~> - Class['ssh::server::service'] -> - Class['ssh::hostkeys'] -> - Class['ssh::knownhosts'] -> - Anchor['ssh::server::end'] + Anchor['ssh::server::start'] + -> Class['ssh::server::install'] + -> Class['ssh::server::config'] + ~> Class['ssh::server::service'] + -> Class['ssh::hostkeys'] + -> Class['ssh::knownhosts'] + -> Anchor['ssh::server::end'] } else { - Anchor['ssh::server::start'] -> - Class['ssh::server::install'] -> - Class['ssh::server::config'] ~> - Class['ssh::server::service'] -> - Anchor['ssh::server::end'] + Anchor['ssh::server::start'] + -> Class['ssh::server::install'] + -> Class['ssh::server::config'] + ~> Class['ssh::server::service'] + -> Anchor['ssh::server::end'] } } From 6578348f6d1dc6f01daccb87973b460c22a6cd28 Mon Sep 17 00:00:00 2001 From: Leo Antunes Date: Fri, 5 May 2017 14:48:57 +0200 Subject: [PATCH 037/246] update fixtures to fix tests on puppet<4 --- .fixtures.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.fixtures.yml b/.fixtures.yml index 185f53b7..5555932f 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,6 +1,8 @@ fixtures: repositories: stdlib: "https://github.com/puppetlabs/puppetlabs-stdlib" - concat: "https://github.com/puppetlabs/puppetlabs-concat" + concat: + repo: "https://github.com/puppetlabs/puppetlabs-concat" + ref: "2.1.x" symlinks: ssh: "#{source_dir}" From 354d057d67706a9df8560da2b5798994ca55f747 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 26 Jun 2017 12:07:59 +0200 Subject: [PATCH 038/246] add .pmtignore file --- .pmtignore | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .pmtignore diff --git a/.pmtignore b/.pmtignore new file mode 100644 index 00000000..fb589575 --- /dev/null +++ b/.pmtignore @@ -0,0 +1,20 @@ +docs/ +pkg/ +Gemfile.lock +Gemfile.local +vendor/ +.vendor/ +spec/fixtures/manifests/ +spec/fixtures/modules/ +.vagrant/ +.bundle/ +.ruby-version +coverage/ +log/ +.idea/ +.dependencies/ +.librarian/ +Puppetfile.lock +*.iml +.*.sw? +.yardoc/ From 9d59eed28b5a3082a926b86eeaaecd66f81cbdb4 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 26 Jun 2017 12:08:28 +0200 Subject: [PATCH 039/246] drop ruby 1.9 support --- .travis.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/.travis.yml b/.travis.yml index bb3f6428..f5cd2dd9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -14,22 +14,16 @@ script: matrix: fast_finish: true include: - - rvm: 1.9.3 - env: PUPPET_VERSION="~> 3.0" STRICT_VARIABLES="yes" CHECK=test - - rvm: 1.9.3 - env: PUPPET_VERSION="~> 3.0" STRICT_VARIABLES="yes" FUTURE_PARSER="yes" CHECK=test - rvm: 2.1 env: PUPPET_VERSION="~> 3.0" STRICT_VARIABLES="yes" CHECK=test - rvm: 2.1 env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=test - rvm: 2.2 env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=test - - rvm: 2.3.1 - env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=build - rvm: 2.3.1 env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=rubocop - rvm: 2.3.1 - env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=test FORGEDEPLOY=true + env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=build FORGEDEPLOY=true notifications: email: false deploy: From 15640332a0cf352d702e1b760b1aa22b44e4b6f5 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 26 Jun 2017 14:17:02 +0200 Subject: [PATCH 040/246] update rubocop config --- .rubocop.yml | 99 ++++++++++++++++++++++++++++------------------------ 1 file changed, 54 insertions(+), 45 deletions(-) diff --git a/.rubocop.yml b/.rubocop.yml index 2743d41e..6f29f30c 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -4,10 +4,13 @@ AllCops: Include: - ./**/*.rb Exclude: + - files/**/* - vendor/**/* - .vendor/**/* - pkg/**/* - spec/fixtures/**/* + - Gemfile + - Rakefile Lint/ConditionPosition: Enabled: true @@ -47,7 +50,7 @@ Lint/AmbiguousOperator: Lint/AssignmentInCondition: Enabled: true -Style/SpaceBeforeComment: +Layout/SpaceBeforeComment: Enabled: true Style/AndOr: @@ -70,7 +73,7 @@ Style/WhileUntilModifier: Lint/AmbiguousRegexpLiteral: Enabled: true -Lint/Eval: +Security/Eval: Enabled: true Lint/BlockAlignment: @@ -112,7 +115,7 @@ Lint/UselessAssignment: Lint/Void: Enabled: true -Style/AccessModifierIndentation: +Layout/AccessModifierIndentation: Enabled: true Style/AccessorMethodName: @@ -121,13 +124,13 @@ Style/AccessorMethodName: Style/Alias: Enabled: true -Style/AlignArray: +Layout/AlignArray: Enabled: true -Style/AlignHash: +Layout/AlignHash: Enabled: true -Style/AlignParameters: +Layout/AlignParameters: Enabled: true Metrics/BlockNesting: @@ -145,7 +148,7 @@ Style/BracesAroundHashParameters: Style/CaseEquality: Enabled: true -Style/CaseIndentation: +Layout/CaseIndentation: Enabled: true Style/CharacterLiteral: @@ -179,64 +182,64 @@ Style/WordArray: Style/UnneededPercentQ: Enabled: true -Style/Tab: +Layout/Tab: Enabled: true -Style/SpaceBeforeSemicolon: +Layout/SpaceBeforeSemicolon: Enabled: true -Style/TrailingBlankLines: +Layout/TrailingBlankLines: Enabled: true -Style/SpaceInsideBlockBraces: +Layout/SpaceInsideBlockBraces: Enabled: true -Style/SpaceInsideBrackets: +Layout/SpaceInsideBrackets: Enabled: true -Style/SpaceInsideHashLiteralBraces: +Layout/SpaceInsideHashLiteralBraces: Enabled: true -Style/SpaceInsideParens: +Layout/SpaceInsideParens: Enabled: true -Style/LeadingCommentSpace: +Layout/LeadingCommentSpace: Enabled: true -Style/SpaceBeforeFirstArg: +Layout/SpaceBeforeFirstArg: Enabled: true -Style/SpaceAfterColon: +Layout/SpaceAfterColon: Enabled: true -Style/SpaceAfterComma: +Layout/SpaceAfterComma: Enabled: true -Style/SpaceAfterMethodName: +Layout/SpaceAfterMethodName: Enabled: true -Style/SpaceAfterNot: +Layout/SpaceAfterNot: Enabled: true -Style/SpaceAfterSemicolon: +Layout/SpaceAfterSemicolon: Enabled: true -Style/SpaceAroundEqualsInParameterDefault: +Layout/SpaceAroundEqualsInParameterDefault: Enabled: true -Style/SpaceAroundOperators: +Layout/SpaceAroundOperators: Enabled: true -Style/SpaceBeforeBlockBraces: +Layout/SpaceBeforeBlockBraces: Enabled: true -Style/SpaceBeforeComma: +Layout/SpaceBeforeComma: Enabled: true Style/CollectionMethods: Enabled: true -Style/CommentIndentation: +Layout/CommentIndentation: Enabled: true Style/ColonMethodCall: @@ -261,7 +264,7 @@ Style/DefWithParentheses: Style/PreferredHashMethods: Enabled: true -Style/DotPosition: +Layout/DotPosition: EnforcedStyle: trailing Style/DoubleNegation: @@ -270,25 +273,25 @@ Style/DoubleNegation: Style/EachWithObject: Enabled: true -Style/EmptyLineBetweenDefs: +Layout/EmptyLineBetweenDefs: Enabled: true -Style/IndentArray: +Layout/IndentArray: Enabled: true -Style/IndentHash: +Layout/IndentHash: Enabled: true -Style/IndentationConsistency: +Layout/IndentationConsistency: Enabled: true -Style/IndentationWidth: +Layout/IndentationWidth: Enabled: true -Style/EmptyLines: +Layout/EmptyLines: Enabled: true -Style/EmptyLinesAroundAccessModifier: +Layout/EmptyLinesAroundAccessModifier: Enabled: true Style/EmptyLiteral: @@ -298,16 +301,13 @@ Style/EmptyLiteral: Metrics/LineLength: Enabled: false -Style/MethodCallParentheses: - Enabled: true - Style/MethodDefParentheses: Enabled: true Style/LineEndConcatenation: Enabled: true -Style/TrailingWhitespace: +Layout/TrailingWhitespace: Enabled: true Style/StringLiterals: @@ -459,7 +459,7 @@ Metrics/ParameterLists: Lint/RequireParentheses: Enabled: true -Style/SpaceBeforeFirstArg: +Layout/SpaceBeforeFirstArg: Enabled: true Style/ModuleFunction: @@ -477,13 +477,19 @@ Style/Encoding: Style/BlockDelimiters: Enabled: true -Style/MultilineBlockLayout: +Style/FormatStringToken: + Enabled: false + +Layout/MultilineBlockLayout: Enabled: true # 'Complexity' is very relative Metrics/AbcSize: Enabled: False +Metrics/BlockLength: + Enabled: False + # 'Complexity' is very relative Metrics/PerceivedComplexity: Enabled: False @@ -491,11 +497,14 @@ Metrics/PerceivedComplexity: Lint/UselessAssignment: Enabled: true -Style/ClosingParenthesisIndentation: +Layout/ClosingParenthesisIndentation: + Enabled: false + +Metrics/BlockLength: Enabled: false -BlockLength: - Max: 70 +NumericLiterals: + Enabled: false # RSpec @@ -507,5 +516,5 @@ RSpec/DescribeClass: RSpec/ExampleLength: Enabled: False -RSpec/NestedGroups: - MaxNesting: 5 +RSpec/NestedGroups: + Max: 5 From ba969565b1fc9e801033131527009e2b2ba13d9e Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 26 Jun 2017 14:17:47 +0200 Subject: [PATCH 041/246] fix style guide issues --- manifests/client.pp | 18 +++++++++--------- manifests/server.pp | 24 ++++++++++++------------ 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index 7129a89d..5a2a3c8f 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -32,15 +32,15 @@ if ($storeconfigs_enabled) { include ::ssh::knownhosts - Anchor['ssh::client::start'] -> - Class['ssh::client::install'] -> - Class['ssh::client::config'] -> - Class['ssh::knownhosts'] -> - Anchor['ssh::client::end'] + Anchor['ssh::client::start'] + -> Class['ssh::client::install'] + -> Class['ssh::client::config'] + -> Class['ssh::knownhosts'] + -> Anchor['ssh::client::end'] } else { - Anchor['ssh::client::start'] -> - Class['ssh::client::install'] -> - Class['ssh::client::config'] -> - Anchor['ssh::client::end'] + Anchor['ssh::client::start'] + -> Class['ssh::client::install'] + -> Class['ssh::client::config'] + -> Anchor['ssh::client::end'] } } diff --git a/manifests/server.pp b/manifests/server.pp index c1459433..42695eca 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -35,18 +35,18 @@ include ::ssh::hostkeys include ::ssh::knownhosts - Anchor['ssh::server::start'] -> - Class['ssh::server::install'] -> - Class['ssh::server::config'] ~> - Class['ssh::server::service'] -> - Class['ssh::hostkeys'] -> - Class['ssh::knownhosts'] -> - Anchor['ssh::server::end'] + Anchor['ssh::server::start'] + -> Class['ssh::server::install'] + -> Class['ssh::server::config'] + ~> Class['ssh::server::service'] + -> Class['ssh::hostkeys'] + -> Class['ssh::knownhosts'] + -> Anchor['ssh::server::end'] } else { - Anchor['ssh::server::start'] -> - Class['ssh::server::install'] -> - Class['ssh::server::config'] ~> - Class['ssh::server::service'] -> - Anchor['ssh::server::end'] + Anchor['ssh::server::start'] + -> Class['ssh::server::install'] + -> Class['ssh::server::config'] + ~> Class['ssh::server::service'] + -> Anchor['ssh::server::end'] } } From 240186df9be600e2b6919d4d900db9f6a9c3bc42 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 26 Jun 2017 17:45:23 +0200 Subject: [PATCH 042/246] fix rubocop issues --- lib/facter/ssh_client_version.rb | 6 +++--- lib/facter/ssh_server_version.rb | 13 ++++++------- lib/puppet/parser/functions/ipaddresses.rb | 2 +- spec/classes/client_spec.rb | 2 ++ spec/classes/init_spec.rb | 2 ++ .../util/fact_ssh_server_version_major_spec.rb} | 14 +++++++------- 6 files changed, 21 insertions(+), 18 deletions(-) rename spec/{unit/facter/ssh_server_version_major_spec.rb => facter/util/fact_ssh_server_version_major_spec.rb} (87%) diff --git a/lib/facter/ssh_client_version.rb b/lib/facter/ssh_client_version.rb index 1b7f1349..856106a4 100644 --- a/lib/facter/ssh_client_version.rb +++ b/lib/facter/ssh_client_version.rb @@ -1,5 +1,5 @@ Facter.add('ssh_client_version_full') do - confine :kernel => %w(Linux SunOS FreeBSD DragonFly Darwin) + confine :kernel => %w[Linux SunOS FreeBSD DragonFly Darwin] setcode do if Facter::Util::Resolution.which('ssh') @@ -16,7 +16,7 @@ end Facter.add('ssh_client_version_major') do - confine :kernel => %w(Linux SunOS FreeBSD DragonFly Darwin) + confine :kernel => %w[Linux SunOS FreeBSD DragonFly Darwin] setcode do version = Facter.value('ssh_client_version_full') @@ -25,7 +25,7 @@ end Facter.add('ssh_client_version_release') do - confine :kernel => %w(Linux SunOS FreeBSD DragonFly Darwin) + confine :kernel => %w[Linux SunOS FreeBSD DragonFly Darwin] setcode do version = Facter.value('ssh_client_version_full') diff --git a/lib/facter/ssh_server_version.rb b/lib/facter/ssh_server_version.rb index 3c4700fb..ed9dc4f1 100644 --- a/lib/facter/ssh_server_version.rb +++ b/lib/facter/ssh_server_version.rb @@ -1,5 +1,5 @@ Facter.add('ssh_server_version_full') do - confine :kernel => %w(Linux SunOS FreeBSD DragonFly Darwin) + confine :kernel => %w[Linux SunOS FreeBSD DragonFly Darwin] setcode do if Facter::Util::Resolution.which('sshd') @@ -19,25 +19,24 @@ end Facter.add('ssh_server_version_major') do - confine :kernel => %w(Linux SunOS FreeBSD DragonFly Darwin) - confine :ssh_server_version_full => /\d+/ + confine :kernel => %w[Linux SunOS FreeBSD DragonFly Darwin] + confine :ssh_server_version_full => %r{\d+} setcode do version = Facter.value('ssh_server_version_full') case version - when /([0-9]+)\.([0-9]+)\.([0-9]+p[0-9]+)/ + when %r{([0-9]+)\.([0-9]+)\.([0-9]+p[0-9]+)} # 6.6.1p1 style formatting version.gsub(%r{([0-9]+)\.([0-9]+)\.([0-9]+p[0-9]+)}, '\1') - when /^([0-9]+)\.([0-9]+p[0-9]+)/ + when %r{^([0-9]+)\.([0-9]+p[0-9]+)} # 7.2p2 style formatting version.gsub(%r{^([0-9]+)\.([0-9]+p[0-9]+)}, '\1') end - end end Facter.add('ssh_server_version_release') do - confine :ssh_server_version_full => /\d+/ + confine :ssh_server_version_full => %r{\d+} setcode do version = Facter.value('ssh_server_version_full') diff --git a/lib/puppet/parser/functions/ipaddresses.rb b/lib/puppet/parser/functions/ipaddresses.rb index 17f20ac9..33b25804 100644 --- a/lib/puppet/parser/functions/ipaddresses.rb +++ b/lib/puppet/parser/functions/ipaddresses.rb @@ -1,6 +1,6 @@ module Puppet::Parser::Functions newfunction(:ipaddresses, type: :rvalue, doc: <<-EOS -Returns all ip addresses of network interfaces (except lo) found by facter. + Returns all ip addresses of network interfaces (except lo) found by facter. EOS ) do |_args| interfaces = lookupvar('interfaces') diff --git a/spec/classes/client_spec.rb b/spec/classes/client_spec.rb index 500a855d..2e32687b 100644 --- a/spec/classes/client_spec.rb +++ b/spec/classes/client_spec.rb @@ -12,6 +12,7 @@ puppetversion: '3.7.0' } end + it do is_expected.to contain_package('openssh-client').with(ensure: 'present') end @@ -32,6 +33,7 @@ ensure: 'latest' } end + it do is_expected.to contain_package('openssh-client').with(ensure: 'latest') end diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 2da69b84..aa640d90 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -19,6 +19,7 @@ path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games' } end + it do is_expected.to contain_class('ssh::client') end @@ -52,6 +53,7 @@ validate_sshd_file: true } end + it do is_expected.to contain_class('ssh::client') end diff --git a/spec/unit/facter/ssh_server_version_major_spec.rb b/spec/facter/util/fact_ssh_server_version_major_spec.rb similarity index 87% rename from spec/unit/facter/ssh_server_version_major_spec.rb rename to spec/facter/util/fact_ssh_server_version_major_spec.rb index c783f377..2d88d0fa 100644 --- a/spec/unit/facter/ssh_server_version_major_spec.rb +++ b/spec/facter/util/fact_ssh_server_version_major_spec.rb @@ -1,4 +1,4 @@ -require "spec_helper" +require 'spec_helper' describe Facter::Util::Fact do before do @@ -6,31 +6,31 @@ Facter.fact(:kernel).stubs(:value).returns('linux') end - describe "ssh_server_version_major" do + describe 'ssh_server_version_major' do context '3 point semver syntax (6.6.1p1)' do context 'returns major version when ssh_server_version_full fact present' do - before :each do + before do Facter.fact(:ssh_server_version_full).stubs(:value).returns('6.6.1p1') end it do - expect(Facter.fact(:ssh_server_version_major).value).to eq("6") + expect(Facter.fact(:ssh_server_version_major).value).to eq('6') end end end context '2 point semver syntax (7.2p2)' do context 'returns major version when ssh_server_version_full fact present' do - before :each do + before do Facter.fact(:ssh_server_version_full).stubs(:value).returns('7.2p2') end it do - expect(Facter.fact(:ssh_server_version_major).value).to eq("7") + expect(Facter.fact(:ssh_server_version_major).value).to eq('7') end end end context 'returns nil when ssh_server_version_full fact not present' do - before :each do + before do Facter.fact(:ssh_server_version_full).stubs(:value).returns(nil) end it do From 4536939b36d7a9666ca52c5a83d069b2d3c14cfb Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 26 Jun 2017 17:57:20 +0200 Subject: [PATCH 043/246] fix rspec-puppet version in Gemfile --- Gemfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index 74058d16..55c67b70 100644 --- a/Gemfile +++ b/Gemfile @@ -12,7 +12,7 @@ end group :test do gem 'puppetlabs_spec_helper', require: false - gem 'rspec-puppet', require: false, git: 'https://github.com/rodjek/rspec-puppet.git' + gem 'rspec-puppet', '~> 2.5' require: false gem 'rspec-puppet-facts', require: false gem 'rspec-puppet-utils', require: false gem 'puppet-lint-absolute_classname-check', require: false From e593c8cb7b9147aa8b31a17f87cb6ed0684185d1 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 26 Jun 2017 18:03:08 +0200 Subject: [PATCH 044/246] fix spec tests for facts --- Gemfile | 2 +- .../fact_ssh_client_version_spec.rb} | 0 .../facter/util/fact_ssh_server_version_major_spec.rb | 0 .../fact_ssh_server_version_spec.rb} | 0 4 files changed, 1 insertion(+), 1 deletion(-) rename spec/unit/facter/{ssh_client_version_spec.rb => util/fact_ssh_client_version_spec.rb} (100%) rename spec/{ => unit}/facter/util/fact_ssh_server_version_major_spec.rb (100%) rename spec/unit/facter/{ssh_server_version_spec.rb => util/fact_ssh_server_version_spec.rb} (100%) diff --git a/Gemfile b/Gemfile index 55c67b70..8c8067a4 100644 --- a/Gemfile +++ b/Gemfile @@ -12,7 +12,7 @@ end group :test do gem 'puppetlabs_spec_helper', require: false - gem 'rspec-puppet', '~> 2.5' require: false + gem 'rspec-puppet', '~> 2.5', require: false gem 'rspec-puppet-facts', require: false gem 'rspec-puppet-utils', require: false gem 'puppet-lint-absolute_classname-check', require: false diff --git a/spec/unit/facter/ssh_client_version_spec.rb b/spec/unit/facter/util/fact_ssh_client_version_spec.rb similarity index 100% rename from spec/unit/facter/ssh_client_version_spec.rb rename to spec/unit/facter/util/fact_ssh_client_version_spec.rb diff --git a/spec/facter/util/fact_ssh_server_version_major_spec.rb b/spec/unit/facter/util/fact_ssh_server_version_major_spec.rb similarity index 100% rename from spec/facter/util/fact_ssh_server_version_major_spec.rb rename to spec/unit/facter/util/fact_ssh_server_version_major_spec.rb diff --git a/spec/unit/facter/ssh_server_version_spec.rb b/spec/unit/facter/util/fact_ssh_server_version_spec.rb similarity index 100% rename from spec/unit/facter/ssh_server_version_spec.rb rename to spec/unit/facter/util/fact_ssh_server_version_spec.rb From eaa22b9a56bc07fa17378293461c16fb843a2962 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 26 Jun 2017 18:20:02 +0200 Subject: [PATCH 045/246] depend on concat 2.2.1 during tests --- .fixtures.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.fixtures.yml b/.fixtures.yml index 185f53b7..453390d6 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,6 +1,9 @@ fixtures: repositories: - stdlib: "https://github.com/puppetlabs/puppetlabs-stdlib" - concat: "https://github.com/puppetlabs/puppetlabs-concat" + stdlib: + repo: "puppetlabs/stdlib" + concat: + repo: "puppetlabs/concat" + ref: "2.2.1" symlinks: ssh: "#{source_dir}" From 84fde27578a49aac778824ce4f0bcfa075ca1f5f Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 26 Jun 2017 18:24:56 +0200 Subject: [PATCH 046/246] provide compatibility with puppet 3 for now... --- .fixtures.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.fixtures.yml b/.fixtures.yml index 453390d6..3082b125 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,9 +1,8 @@ fixtures: repositories: - stdlib: - repo: "puppetlabs/stdlib" + stdlib: "https://github.com/puppetlabs/puppetlabs-stdlib" concat: - repo: "puppetlabs/concat" + repo: "https://github.com/puppetlabs/puppetlabs-concat" ref: "2.2.1" symlinks: ssh: "#{source_dir}" From b90353f0feaaca5520be338fd89af0b488513346 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 26 Jun 2017 19:04:43 +0200 Subject: [PATCH 047/246] fix block line length in rubocop --- .rubocop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.rubocop.yml b/.rubocop.yml index 251b956d..4a7db26b 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -507,7 +507,7 @@ Metrics/BlockLength: Enabled: false BlockLength: - Max: 70 + Max: 161 NumericLiterals: Enabled: false From a12d07539e35937e26e949a045f4e6751c429515 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 26 Jun 2017 19:17:35 +0200 Subject: [PATCH 048/246] fix newly introduced rubocop errors --- manifests/server.pp | 2 +- spec/defines/server/host_key_spec.rb | 120 +++++++++++++-------------- 2 files changed, 61 insertions(+), 61 deletions(-) diff --git a/manifests/server.pp b/manifests/server.pp index c3d93b93..16cdb707 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -60,6 +60,6 @@ ~> Class['ssh::server::service'] -> Anchor['ssh::server::end'] } - + create_resources('::ssh::server::match_block', $fin_match_block) } diff --git a/spec/defines/server/host_key_spec.rb b/spec/defines/server/host_key_spec.rb index 262cfacf..b97938de 100644 --- a/spec/defines/server/host_key_spec.rb +++ b/spec/defines/server/host_key_spec.rb @@ -27,32 +27,32 @@ { public_key_content: 'abc', private_key_content: 'bcd', - certificate_content: 'cde', + certificate_content: 'cde' } end it do - is_expected.to contain_file('something_pub') - .with_content('abc') - .with_ensure('present') - .with_owner('root') - .with_group('root') - .with_mode('0644') - .with_path('/etc/ssh/something.pub') - is_expected.to contain_file('something_priv') - .with_content('bcd') - .with_ensure('present') - .with_owner('root') - .with_group('root') - .with_mode('0600') - .with_path('/etc/ssh/something') - is_expected.to contain_file('something_cert') - .with_content('cde') - .with_ensure('present') - .with_owner('root') - .with_group('root') - .with_mode('0644') - .with_path('/etc/ssh/something-cert.pub') + is_expected.to contain_file('something_pub'). + with_content('abc'). + with_ensure('present'). + with_owner('root'). + with_group('root'). + with_mode('0644'). + with_path('/etc/ssh/something.pub') + is_expected.to contain_file('something_priv'). + with_content('bcd'). + with_ensure('present'). + with_owner('root'). + with_group('root'). + with_mode('0600'). + with_path('/etc/ssh/something') + is_expected.to contain_file('something_cert'). + with_content('cde'). + with_ensure('present'). + with_owner('root'). + with_group('root'). + with_mode('0644'). + with_path('/etc/ssh/something-cert.pub') end end @@ -60,56 +60,56 @@ let :params do { public_key_content: 'abc', - private_key_content: 'bcd', + private_key_content: 'bcd' } end it do - is_expected.to contain_file('something_pub') - .with_content('abc') - .with_ensure('present') - .with_owner('root') - .with_group('root') - .with_mode('0644') - .with_path('/etc/ssh/something.pub') - is_expected.to contain_file('something_priv') - .with_content('bcd') - .with_ensure('present') - .with_owner('root') - .with_group('root') - .with_mode('0600') - .with_path('/etc/ssh/something') + is_expected.to contain_file('something_pub'). + with_content('abc'). + with_ensure('present'). + with_owner('root'). + with_group('root'). + with_mode('0644'). + with_path('/etc/ssh/something.pub') + is_expected.to contain_file('something_priv'). + with_content('bcd'). + with_ensure('present'). + with_owner('root'). + with_group('root'). + with_mode('0600'). + with_path('/etc/ssh/something') is_expected.not_to contain_file('something_cert') end end - + describe 'with *_key_content and *_key_source, *_key_source takes precedence' do let :params do { public_key_content: 'abc', public_key_source: 'a', private_key_content: 'bcd', - private_key_source: 'b', + private_key_source: 'b' } end it do - is_expected.to contain_file('something_pub') - .without_content() - .with_source('a') - .with_ensure('present') - .with_owner('root') - .with_group('root') - .with_mode('0644') - .with_path('/etc/ssh/something.pub') - is_expected.to contain_file('something_priv') - .without_content() - .with_source('b') - .with_ensure('present') - .with_owner('root') - .with_group('root') - .with_mode('0600') - .with_path('/etc/ssh/something') + is_expected.to contain_file('something_pub'). + without_content. + with_source('a'). + with_ensure('present'). + with_owner('root'). + with_group('root'). + with_mode('0644'). + with_path('/etc/ssh/something.pub') + is_expected.to contain_file('something_priv'). + without_content. + with_source('b'). + with_ensure('present'). + with_owner('root'). + with_group('root'). + with_mode('0600'). + with_path('/etc/ssh/something') is_expected.not_to contain_file('something_cert') end end @@ -117,7 +117,7 @@ describe 'with private_key_content and no public_key_content' do let :params do { - private_key_content: 'bcd', + private_key_content: 'bcd' } end @@ -131,7 +131,7 @@ describe 'with public_key_content and no private_key_content' do let :params do { - public_key_content: 'abc', + public_key_content: 'abc' } end @@ -141,11 +141,11 @@ end.to raise_error(%r{You must provide either private_key_source or private_key_content parameter}) end end - + describe 'with private_key_source and no public_key_source' do let :params do { - private_key_source: 'bcd', + private_key_source: 'bcd' } end @@ -159,7 +159,7 @@ describe 'with public_key_source and no private_key_source' do let :params do { - public_key_source: 'abc', + public_key_source: 'abc' } end From 9854f8d6a7db0e0b82eca684e04150dc8c274550 Mon Sep 17 00:00:00 2001 From: Michael Geiger Date: Thu, 18 May 2017 14:49:26 +0200 Subject: [PATCH 049/246] Corrected path to sftp-server for SUSE SLES On SLES12 the path to sftp-server is /usr/lib/ssh --- manifests/params.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/params.pp b/manifests/params.pp index a0cf1fed..30721a5d 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -70,7 +70,7 @@ case $::operatingsystem { 'SLES': { $service_name = 'sshd' - $sftp_server_path = '/usr/lib64/ssh/sftp-server' + $sftp_server_path = '/usr/lib/ssh/sftp-server' } 'OpenSuse': { $service_name = 'sshd' From f3ba40fadd02712540b3efb49d01d8a003f1d1a4 Mon Sep 17 00:00:00 2001 From: Michael Geiger Date: Mon, 26 Jun 2017 19:59:01 +0200 Subject: [PATCH 050/246] Corrected path to sftp-server for SUSE SLES SLES version < 12 && architecture == 'x86_64': /usr/lib64/ssh/sftp-server SLES version < 12 && architecture != 'x86_64': /usr/lib/ssh/sftp-server SLES version >= 12: /usr/lib/ssh/sftp-server --- manifests/params.pp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/manifests/params.pp b/manifests/params.pp index 30721a5d..13afcb17 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -70,7 +70,12 @@ case $::operatingsystem { 'SLES': { $service_name = 'sshd' - $sftp_server_path = '/usr/lib/ssh/sftp-server' + $slesversion = 0 + $::operatingsystemmajrelease + if ($slesversion < 12) and ($::architecture == 'x86_64') { + $sftp_server_path = '/usr/lib64/ssh/sftp-server' + } else { + $sftp_server_path = '/usr/lib/ssh/sftp-server' + } } 'OpenSuse': { $service_name = 'sshd' From 9a0585fa29cf5fee07823c1819fe9b179734b9bc Mon Sep 17 00:00:00 2001 From: Peter Wienemann Date: Thu, 21 Jul 2016 15:33:27 +0200 Subject: [PATCH 051/246] Respect order of ssh_config options specified by the user According to the ssh_config man page "more host-specific declarations should be given near the beginning of the file, and general defaults at the end." Since the order of the options matter, alphabetic sorting of ssh_config options is switched off and it is made sure that default options are added at the end of the file. --- manifests/client.pp | 2 +- templates/ssh_config.erb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index 5a2a3c8f..72c64f1d 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -18,7 +18,7 @@ if $use_augeas { $merged_options = sshclient_options_to_augeas_ssh_config($fin_options, $options_absent, { 'target' => $::ssh::params::ssh_config }) } else { - $merged_options = merge($ssh::params::ssh_default_options, $fin_options) + $merged_options = merge($fin_options, delete($ssh::params::ssh_default_options, keys($fin_options))) } include ::ssh::client::install diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb index 9c1a0a1c..8cf7db34 100644 --- a/templates/ssh_config.erb +++ b/templates/ssh_config.erb @@ -12,7 +12,7 @@ end -%> -<%- @options.sort.each do |k, v| -%> +<%- @options.each do |k, v| -%> <%- if v.is_a?(Hash) -%> <%- if k.length > 1024 -%> <%- fail("Line exceeds 1024 characters: #{k}") -%> From 88153424fd9b1931726c763bfc90cc3917ad344c Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Wed, 28 Jun 2017 09:46:56 +0200 Subject: [PATCH 052/246] handle different path on different SLES versions, refs #216 --- manifests/params.pp | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index 13afcb17..78c0240e 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -70,11 +70,18 @@ case $::operatingsystem { 'SLES': { $service_name = 'sshd' - $slesversion = 0 + $::operatingsystemmajrelease - if ($slesversion < 12) and ($::architecture == 'x86_64') { - $sftp_server_path = '/usr/lib64/ssh/sftp-server' - } else { - $sftp_server_path = '/usr/lib/ssh/sftp-server' + # $::operatingsystemmajrelease isn't available on e.g. SLES 10 + case $::operatingsystemrelease { + /^10\./, /^11\./: { + if ($::architecture == 'x86_64') { + $sftp_server_path = '/usr/lib64/ssh/sftp-server' + } else { + $sftp_server_path = '/usr/lib/ssh/sftp-server' + } + } + default: { + $sftp_server_path = '/usr/lib/ssh/sftp-server' + } } } 'OpenSuse': { From 3fb5405d021322e428777c3806c8a8bb568fc6eb Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Wed, 28 Jun 2017 09:53:03 +0200 Subject: [PATCH 053/246] be ruby 1.8 compatible for a last release, refs #202 --- lib/puppet/parser/functions/ipaddresses.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/puppet/parser/functions/ipaddresses.rb b/lib/puppet/parser/functions/ipaddresses.rb index 33b25804..33beee7d 100644 --- a/lib/puppet/parser/functions/ipaddresses.rb +++ b/lib/puppet/parser/functions/ipaddresses.rb @@ -1,5 +1,5 @@ module Puppet::Parser::Functions - newfunction(:ipaddresses, type: :rvalue, doc: <<-EOS + newfunction(:ipaddresses, :type => :rvalue, :doc => <<-EOS Returns all ip addresses of network interfaces (except lo) found by facter. EOS ) do |_args| From b0e3228c50f68fb7c26701027be8da69b1a971ee Mon Sep 17 00:00:00 2001 From: Stefan Schlesinger Date: Wed, 6 Sep 2017 22:37:08 +0200 Subject: [PATCH 054/246] Avoid exporting fe80::/64 Link-local addresses are only valid and unique for a single link, generated by appending the ethernet address as the least significant 64 bits. There are conditions where the same link-local address is used for multiple interfaces (bonding, bridges), which leads to duplicate address entries in the array returned by the ipaddresses function. There is no real use case to configure SSH for link-local v6 addresses via Puppet and fe80::/64 is removed entirely from the results. closes #218 --- lib/puppet/parser/functions/ipaddresses.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/puppet/parser/functions/ipaddresses.rb b/lib/puppet/parser/functions/ipaddresses.rb index 33beee7d..d89bbe12 100644 --- a/lib/puppet/parser/functions/ipaddresses.rb +++ b/lib/puppet/parser/functions/ipaddresses.rb @@ -29,6 +29,10 @@ module Puppet::Parser::Functions end end + # Throw away any v6 link-local addresses + fe80_64 = IPAddr.new("fe80::/64") + result.delete_if { |ip| fe80_64.include? IPAddr.new(ip) } + return result end end From f1280a2caad175f402d2d2b21866d7b5ba7588f2 Mon Sep 17 00:00:00 2001 From: Florian Baumann Date: Mon, 9 Oct 2017 15:13:46 +0200 Subject: [PATCH 055/246] Increase version compatibility of concat --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index d43caad6..ab9181c9 100644 --- a/metadata.json +++ b/metadata.json @@ -55,7 +55,7 @@ }, { "name": "puppetlabs/concat", - "version_requirement": ">= 1.2.5 < 3.0.0" + "version_requirement": ">= 1.2.5 < 5.0.0" } ] } From 95af6a18829c317915a2eb6d445959cae86609fa Mon Sep 17 00:00:00 2001 From: Oliver Freyermuth Date: Fri, 10 Nov 2017 10:31:36 +0100 Subject: [PATCH 056/246] Owning group of ssh private keys is different per distribution. Starting with RHEL 7, it seems keys are owned by the ssh_keys group. --- manifests/params.pp | 15 +++++++++++++++ manifests/server/host_key.pp | 2 +- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/manifests/params.pp b/manifests/params.pp index 78c0240e..b8d00d98 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -9,6 +9,7 @@ $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'ssh' $sftp_server_path = '/usr/lib/openssh/sftp-server' + $host_priv_key_group = 'root' } 'RedHat': { $server_package_name = 'openssh-server' @@ -19,6 +20,11 @@ $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd' $sftp_server_path = '/usr/libexec/openssh/sftp-server' + if versioncmp($::operatingsystemmajrelease, '7') >= 0 { + $host_priv_key_group = 'ssh_keys' + } else { + $host_priv_key_group = 'root' + } } 'FreeBSD', 'DragonFly': { $server_package_name = undef @@ -29,6 +35,7 @@ $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd' $sftp_server_path = '/usr/libexec/sftp-server' + $host_priv_key_group = 'root' } 'OpenBSD': { $server_package_name = undef @@ -39,6 +46,7 @@ $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd' $sftp_server_path = '/usr/libexec/sftp-server' + $host_priv_key_group = 'root' } 'Darwin': { $server_package_name = undef @@ -49,6 +57,7 @@ $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'com.openssh.sshd' $sftp_server_path = '/usr/libexec/sftp-server' + $host_priv_key_group = 'root' } 'ArchLinux': { $server_package_name = 'openssh' @@ -59,6 +68,7 @@ $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd.service' $sftp_server_path = '/usr/lib/ssh/sftp-server' + $host_priv_key_group = 'root' } 'Suse': { $server_package_name = 'openssh' @@ -67,6 +77,7 @@ $sshd_config = '/etc/ssh/sshd_config' $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' + $host_priv_key_group = 'root' case $::operatingsystem { 'SLES': { $service_name = 'sshd' @@ -104,6 +115,7 @@ $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'svc:/network/ssh:default' $sftp_server_path = 'internal-sftp' + $host_priv_key_group = 'root' } default: { $sshd_dir = '/etc/ssh' @@ -112,6 +124,7 @@ $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'svc:/network/ssh:default' $sftp_server_path = 'internal-sftp' + $host_priv_key_group = 'root' case versioncmp($::kernelrelease, '5.10') { 1: { # Solaris 11 and later @@ -142,6 +155,7 @@ $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd' $sftp_server_path = '/usr/lib/misc/sftp-server' + $host_priv_key_group = 'root' } 'Amazon': { $server_package_name = 'openssh-server' @@ -152,6 +166,7 @@ $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd' $sftp_server_path = '/usr/libexec/openssh/sftp-server' + $host_priv_key_group = 'root' } default: { fail("Unsupported platform: ${::osfamily}/${::operatingsystem}") diff --git a/manifests/server/host_key.pp b/manifests/server/host_key.pp index 9bd6c6be..e36e68aa 100644 --- a/manifests/server/host_key.pp +++ b/manifests/server/host_key.pp @@ -93,7 +93,7 @@ file {"${name}_priv": ensure => $ensure, owner => 'root', - group => 'root', + group => $::ssh::params::host_priv_key_group, mode => '0600', path => "${::ssh::params::sshd_dir}/${name}", source => $manage_priv_key_source, From 619aab82ef8b4e3fcf0257488f5de5d661a97522 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sun, 14 Jan 2018 13:08:58 +0100 Subject: [PATCH 057/246] update rubocop config --- .rubocop.yml | 42 +++++++++++++++--------------------------- 1 file changed, 15 insertions(+), 27 deletions(-) diff --git a/.rubocop.yml b/.rubocop.yml index 4a7db26b..478ec6d8 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -1,11 +1,13 @@ require: rubocop-rspec AllCops: - TargetRubyVersion: 1.9 + TargetRubyVersion: 2.2 Include: - ./**/*.rb Exclude: - files/**/* - vendor/**/* + - Gemfile + - Rakefile - .vendor/**/* - pkg/**/* - spec/fixtures/**/* @@ -29,9 +31,6 @@ Lint/EnsureReturn: Lint/HandleExceptions: Enabled: true -Lint/LiteralInCondition: - Enabled: true - Lint/ShadowingOuterLocalVariable: Enabled: true @@ -118,7 +117,7 @@ Lint/Void: Layout/AccessModifierIndentation: Enabled: true -Style/AccessorMethodName: +Naming/AccessorMethodName: Enabled: true Style/Alias: @@ -154,7 +153,7 @@ Layout/CaseIndentation: Style/CharacterLiteral: Enabled: true -Style/ClassAndModuleCamelCase: +Naming/ClassAndModuleCamelCase: Enabled: true Style/ClassAndModuleChildren: @@ -194,9 +193,6 @@ Layout/TrailingBlankLines: Layout/SpaceInsideBlockBraces: Enabled: true -Layout/SpaceInsideBrackets: - Enabled: true - Layout/SpaceInsideHashLiteralBraces: Enabled: true @@ -252,7 +248,7 @@ Style/CommentAnnotation: Metrics/CyclomaticComplexity: Enabled: false -Style/ConstantName: +Naming/ConstantName: Enabled: true Style/Documentation: @@ -361,7 +357,7 @@ Style/UnlessElse: Style/VariableInterpolation: Enabled: true -Style/VariableName: +Naming/VariableName: Enabled: true Style/WhileUntilDo: @@ -370,7 +366,7 @@ Style/WhileUntilDo: Style/EvenOdd: Enabled: true -Style/FileName: +Naming/FileName: Enabled: true Style/For: @@ -379,7 +375,7 @@ Style/For: Style/Lambda: Enabled: true -Style/MethodName: +Naming/MethodName: Enabled: true Style/MultilineTernaryOperator: @@ -415,7 +411,7 @@ Style/NumericLiterals: Style/OneLineConditional: Enabled: true -Style/OpMethod: +Naming/BinaryOperatorParameterName: Enabled: true Style/ParenthesesAroundCondition: @@ -427,7 +423,7 @@ Style/PercentLiteralDelimiters: Style/PerlBackrefs: Enabled: true -Style/PredicateName: +Naming/PredicateName: Enabled: true Style/RedundantException: @@ -503,15 +499,6 @@ Lint/UselessAssignment: Layout/ClosingParenthesisIndentation: Enabled: false -Metrics/BlockLength: - Enabled: false - -BlockLength: - Max: 161 - -NumericLiterals: - Enabled: false - # RSpec # We don't use rspec in this way @@ -521,6 +508,7 @@ RSpec/DescribeClass: # Example length is not necessarily an indicator of code quality RSpec/ExampleLength: Enabled: False - -RSpec/NestedGroups: - Max: 5 +RSpec/NestedGroups: + Max: 5 +RSpec/MultipleExpectations: + Max: 3 From 539edff0e4e1cc4f69ffcdc3aaa9d8020f5a88cc Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sun, 14 Jan 2018 13:09:09 +0100 Subject: [PATCH 058/246] fix rubocop issues --- lib/puppet/parser/functions/ipaddresses.rb | 8 ++--- .../sshclient_options_to_augeas_ssh_config.rb | 10 ++++--- ...sshserver_options_to_augeas_sshd_config.rb | 10 ++++--- spec/classes/client_spec.rb | 4 +-- spec/classes/init_spec.rb | 4 +-- spec/classes/server_spec.rb | 3 -- spec/defines/client/config/user_spec.rb | 29 ++++++++++++------- .../util/fact_ssh_client_version_spec.rb | 2 +- .../fact_ssh_server_version_major_spec.rb | 10 +++---- .../util/fact_ssh_server_version_spec.rb | 2 +- 10 files changed, 46 insertions(+), 36 deletions(-) diff --git a/lib/puppet/parser/functions/ipaddresses.rb b/lib/puppet/parser/functions/ipaddresses.rb index d89bbe12..0f1ed217 100644 --- a/lib/puppet/parser/functions/ipaddresses.rb +++ b/lib/puppet/parser/functions/ipaddresses.rb @@ -1,7 +1,7 @@ module Puppet::Parser::Functions - newfunction(:ipaddresses, :type => :rvalue, :doc => <<-EOS + newfunction(:ipaddresses, :type => :rvalue, :doc => <<-DOC Returns all ip addresses of network interfaces (except lo) found by facter. -EOS +DOC ) do |_args| interfaces = lookupvar('interfaces') @@ -30,8 +30,8 @@ module Puppet::Parser::Functions end # Throw away any v6 link-local addresses - fe80_64 = IPAddr.new("fe80::/64") - result.delete_if { |ip| fe80_64.include? IPAddr.new(ip) } + fe8064 = IPAddr.new('fe80::/64') + result.delete_if { |ip| fe8064.include? IPAddr.new(ip) } return result end diff --git a/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb b/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb index e4583991..c31c6ff3 100644 --- a/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb +++ b/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb @@ -1,5 +1,5 @@ module Puppet::Parser::Functions - newfunction(:sshclient_options_to_augeas_ssh_config, :type => :rvalue, :doc => <<-'ENDHEREDOC') do |args| + newfunction(:sshclient_options_to_augeas_ssh_config, :type => :rvalue, :doc => <<-'DOC') do |args| This function will convert a key-value hash to a format understandable by the augeas sshd_config provider It will also optionally deal with keys that should be absent, and inject static parameters if supplied. @@ -64,7 +64,7 @@ module Puppet::Parser::Functions Note how the word "Host" is stripped away. - ENDHEREDOC + DOC if args.empty? raise Puppet::ParseError, 'sshclient_options_to_augeas_ssh_config: expects at least one argument' @@ -103,5 +103,7 @@ module Puppet::Parser::Functions options_final_augeas[value] = { 'ensure' => 'absent' }.merge('key' => value).merge(other_parameters) end return options_final_augeas - end # newfunction -end # module + end + # newfunction +end +# module diff --git a/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb b/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb index 70db06a1..7f474376 100644 --- a/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb +++ b/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb @@ -1,5 +1,5 @@ module Puppet::Parser::Functions - newfunction(:sshserver_options_to_augeas_sshd_config, :type => :rvalue, :doc => <<-'ENDHEREDOC') do |args| + newfunction(:sshserver_options_to_augeas_sshd_config, :type => :rvalue, :doc => <<-'DOC') do |args| This function will convert a key-value hash to a format understandable by the augeas sshd_config provider It will also optionally deal with keys that should be absent, and inject static parameters if supplied. @@ -74,7 +74,7 @@ module Puppet::Parser::Functions Note how the word "Match" is stripped away. - ENDHEREDOC + DOC if args.empty? raise Puppet::ParseError, 'sshserver_options_to_augeas_sshd_config: expects at least one argument' @@ -113,5 +113,7 @@ module Puppet::Parser::Functions options_final_augeas[value] = { 'ensure' => 'absent' }.merge('key' => value).merge(other_parameters) end return options_final_augeas - end # newfunction -end # module + end + # newfunction +end +# module diff --git a/spec/classes/client_spec.rb b/spec/classes/client_spec.rb index 2e32687b..9b902b7d 100644 --- a/spec/classes/client_spec.rb +++ b/spec/classes/client_spec.rb @@ -1,7 +1,7 @@ require 'spec_helper' describe 'ssh::client', type: 'class' do - context 'On Debian with no other parameters' do + context 'when on Debian with no other parameters' do let :facts do { osfamily: 'Debian', @@ -17,7 +17,7 @@ is_expected.to contain_package('openssh-client').with(ensure: 'present') end end - context 'On Debian with custom ensure' do + context 'when on Debian with custom ensure' do let :facts do { osfamily: 'Debian', diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index aa640d90..4c7b594c 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -1,7 +1,7 @@ require 'spec_helper' describe 'ssh', type: 'class' do - context 'On Debian with no other parameters' do + context 'when on Debian with no other parameters' do let :facts do { osfamily: 'Debian', @@ -30,7 +30,7 @@ is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd(nil) end - context 'On Debian with the validate_sshd_file setting' do + context 'when on Debian with the validate_sshd_file setting' do let :facts do { osfamily: 'Debian', diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index 2f0a46d5..c7f974bb 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -39,7 +39,6 @@ is_expected.to contain_concat__fragment('global config').with( target: '/etc/ssh/sshd_config', content: '# File is managed by Puppet - AcceptEnv LANG LC_* ChallengeResponseAuthentication no PrintMotd no @@ -108,7 +107,6 @@ is_expected.to contain_concat__fragment('global config').with( target: '/etc/ssh/sshd_config', content: '# File is managed by Puppet - AcceptEnv LANG LC_* ChallengeResponseAuthentication no PrintMotd no @@ -162,7 +160,6 @@ is_expected.to contain_concat__fragment('global config').with( target: '/etc/ssh/sshd_config', content: '# File is managed by Puppet - AcceptEnv LANG LC_* ChallengeResponseAuthentication no PrintMotd no diff --git a/spec/defines/client/config/user_spec.rb b/spec/defines/client/config/user_spec.rb index cd9beff0..657a4585 100644 --- a/spec/defines/client/config/user_spec.rb +++ b/spec/defines/client/config/user_spec.rb @@ -45,8 +45,9 @@ end.to raise_error(%r{#{value[1]}}) end end - end # params.each - end # describe 'with invalid parameters' + end + end + # describe 'with invalid parameters' describe 'with correct values' do describe 'with a user provided target' do @@ -65,7 +66,8 @@ owner: title, mode: '0600') end - end # describe 'with a user provided target' + end + # describe 'with a user provided target' describe 'user_home_dir behavior' do context 'with a user provided user_home_dir' do @@ -89,7 +91,8 @@ owner: title, mode: '0600') end - end # context 'with manage_user_ssh_dir default value' + end + # context 'with manage_user_ssh_dir default value' context 'with manage_user_ssh_dir set to false' do let :params do @@ -102,8 +105,10 @@ it do is_expected.not_to contain_file("#{user_home_dir}/.ssh") end - end # context 'with manage_user_ssh_dir set to false' - end # context 'with a user provided user_home_dir' + end + # context 'with manage_user_ssh_dir set to false' + end + # context 'with a user provided user_home_dir' context 'with no user provided user_home_dir' do it 'with manage_user_ssh_dir default value' do @@ -125,9 +130,12 @@ it do is_expected.to contain_file("/home/#{title}/.ssh/config") end - end # context 'with manage_user_ssh_dir set to false' - end # context 'with no user provided user_home_dir' - end # describe 'user_home_dir behavior' + end + # context 'with manage_user_ssh_dir set to false' + end + # context 'with no user provided user_home_dir' + end + # describe 'user_home_dir behavior' describe 'ssh configuration content' do let :params do @@ -144,7 +152,8 @@ is_expected.to contain_file("/home/#{title}/.ssh/config").with(content: %r{Host \*\.in2p3\.fr\s*\n\s+GSSAPIAuthentication\s+no\s*\n\s+User\s+riton}) end end - end # describe 'with correct values' + end + # describe 'with correct values' end # vim: tabstop=2 shiftwidth=2 softtabstop=2 diff --git a/spec/unit/facter/util/fact_ssh_client_version_spec.rb b/spec/unit/facter/util/fact_ssh_client_version_spec.rb index 32e40ec7..b0438fe9 100644 --- a/spec/unit/facter/util/fact_ssh_client_version_spec.rb +++ b/spec/unit/facter/util/fact_ssh_client_version_spec.rb @@ -5,7 +5,7 @@ Facter.clear Facter.fact(:kernel).stubs(:value).returns('linux') end - context 'on a Linux host' do + context 'when on a Linux host' do before do Facter::Util::Resolution.stubs(:which).with('ssh').returns('/usr/bin/ssh') Facter::Util::Resolution.stubs(:exec).with('ssh -V 2>&1').returns('OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014') diff --git a/spec/unit/facter/util/fact_ssh_server_version_major_spec.rb b/spec/unit/facter/util/fact_ssh_server_version_major_spec.rb index 2d88d0fa..55e91bea 100644 --- a/spec/unit/facter/util/fact_ssh_server_version_major_spec.rb +++ b/spec/unit/facter/util/fact_ssh_server_version_major_spec.rb @@ -7,8 +7,8 @@ end describe 'ssh_server_version_major' do - context '3 point semver syntax (6.6.1p1)' do - context 'returns major version when ssh_server_version_full fact present' do + context 'with 3 point semver syntax (6.6.1p1)' do + context 'with ssh_server_version_full fact present returns major version' do before do Facter.fact(:ssh_server_version_full).stubs(:value).returns('6.6.1p1') end @@ -18,8 +18,8 @@ end end - context '2 point semver syntax (7.2p2)' do - context 'returns major version when ssh_server_version_full fact present' do + context 'with 2 point semver syntax (7.2p2)' do + context 'with ssh_server_version_full fact present returns major version' do before do Facter.fact(:ssh_server_version_full).stubs(:value).returns('7.2p2') end @@ -29,7 +29,7 @@ end end - context 'returns nil when ssh_server_version_full fact not present' do + context 'without ssh_server_version_full fact present returns nil' do before do Facter.fact(:ssh_server_version_full).stubs(:value).returns(nil) end diff --git a/spec/unit/facter/util/fact_ssh_server_version_spec.rb b/spec/unit/facter/util/fact_ssh_server_version_spec.rb index d86d824d..9afe8be7 100644 --- a/spec/unit/facter/util/fact_ssh_server_version_spec.rb +++ b/spec/unit/facter/util/fact_ssh_server_version_spec.rb @@ -5,7 +5,7 @@ Facter.clear Facter.fact(:kernel).stubs(:value).returns('linux') end - context 'on a Linux host' do + context 'when on a Linux host' do before do Facter::Util::Resolution.stubs(:which).with('sshd').returns('/usr/sbin/sshd') Facter::Util::Resolution.stubs(:exec).with('sshd -V 2>&1').returns('OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014') From b0c49015f8d473df2e52d1265b294f81b59b3839 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sun, 14 Jan 2018 13:27:58 +0100 Subject: [PATCH 059/246] fix spec test failures --- spec/classes/server_spec.rb | 4 ++++ spec/defines/client/config/user_spec.rb | 3 ++- spec/defines/server/config/setting_spec.rb | 1 + spec/defines/server/host_key_spec.rb | 1 + 4 files changed, 8 insertions(+), 1 deletion(-) diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index c7f974bb..907e73f3 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -20,6 +20,7 @@ let :facts do { osfamily: 'RedHat', + operatingsystemmajrelease: '6', interfaces: 'eth0', ipaddress_eth0: '192.168.1.1', ipaddress6_eth0: '::1', @@ -39,6 +40,7 @@ is_expected.to contain_concat__fragment('global config').with( target: '/etc/ssh/sshd_config', content: '# File is managed by Puppet + AcceptEnv LANG LC_* ChallengeResponseAuthentication no PrintMotd no @@ -107,6 +109,7 @@ is_expected.to contain_concat__fragment('global config').with( target: '/etc/ssh/sshd_config', content: '# File is managed by Puppet + AcceptEnv LANG LC_* ChallengeResponseAuthentication no PrintMotd no @@ -160,6 +163,7 @@ is_expected.to contain_concat__fragment('global config').with( target: '/etc/ssh/sshd_config', content: '# File is managed by Puppet + AcceptEnv LANG LC_* ChallengeResponseAuthentication no PrintMotd no diff --git a/spec/defines/client/config/user_spec.rb b/spec/defines/client/config/user_spec.rb index 657a4585..d7d474b3 100644 --- a/spec/defines/client/config/user_spec.rb +++ b/spec/defines/client/config/user_spec.rb @@ -18,7 +18,8 @@ let :facts do { osfamily: 'RedHat', - concat_basedir: '/tmp' + operatingsystemmajrelease: '6', + concat_basedir: '/tmp', } end diff --git a/spec/defines/server/config/setting_spec.rb b/spec/defines/server/config/setting_spec.rb index e64ee1bc..1fe0a4a6 100644 --- a/spec/defines/server/config/setting_spec.rb +++ b/spec/defines/server/config/setting_spec.rb @@ -8,6 +8,7 @@ let :facts do { osfamily: 'RedHat', + operatingsystemmajrelease: '6', concat_basedir: '/tmp', puppetversion: '3.7.0', sshdsakey: 'AAAAB3NzaC1kc3MAAACBAODCvvUUnv2imW4cfuLBWVJTLMzds89MtCUXGl3+7Gza5QYJmp7GSkKBnV8+7XI+JAmjv0RKQM1RAn7mV5UplRTtg3CYbeNkX4IakZmNJLTdL4vUyIehhaxBobpOtBaJfFewCJE1plIaWvoWfEDrShcjIUbUbJMfR8YWweIIqp9bAAAAFQCr8+KRfOUZbS9Dz1t15A/Owl61VQAAAIBr/7hNPCvjzAl5+rde6jUR5k20pxAE+z2wsaZxlhrs6ZhhplyCKIXKq4rCx4QuFVPh/c+WJRPO56iH/rSh5Y5cpT1LUk66wNJcOBPprjvDEHfQUHUmfYXzNJ2BHkRL78lfzQr52YyowV6dHfktv0VsIctm13KcMr2KQygZtV6EqgAAAIEAjNC4PRdzYpWfxu268CJDpexlhBwIkIx+ovEibtYeke55qAQcF9UWko4A1c8Wf4nLLxlQYCf501Bt5lb6GmZd0xfpg27fPIfzZPL8o+E756D3ZcNXUaLj4HPRKnwNcdAtChL2jESH3fm8PyNwBI7tV6IOjmOGpyQKtmJq3IyNgms=', diff --git a/spec/defines/server/host_key_spec.rb b/spec/defines/server/host_key_spec.rb index b97938de..7cb50aa8 100644 --- a/spec/defines/server/host_key_spec.rb +++ b/spec/defines/server/host_key_spec.rb @@ -10,6 +10,7 @@ let :facts do { osfamily: 'RedHat', + operatingsystemmajrelease: '6', concat_basedir: '/tmp', puppetversion: '3.7.0', sshdsakey: 'AAAAB3NzaC1kc3MAAACBAODCvvUUnv2imW4cfuLBWVJTLMzds89MtCUXGl3+7Gza5QYJmp7GSkKBnV8+7XI+JAmjv0RKQM1RAn7mV5UplRTtg3CYbeNkX4IakZmNJLTdL4vUyIehhaxBobpOtBaJfFewCJE1plIaWvoWfEDrShcjIUbUbJMfR8YWweIIqp9bAAAAFQCr8+KRfOUZbS9Dz1t15A/Owl61VQAAAIBr/7hNPCvjzAl5+rde6jUR5k20pxAE+z2wsaZxlhrs6ZhhplyCKIXKq4rCx4QuFVPh/c+WJRPO56iH/rSh5Y5cpT1LUk66wNJcOBPprjvDEHfQUHUmfYXzNJ2BHkRL78lfzQr52YyowV6dHfktv0VsIctm13KcMr2KQygZtV6EqgAAAIEAjNC4PRdzYpWfxu268CJDpexlhBwIkIx+ovEibtYeke55qAQcF9UWko4A1c8Wf4nLLxlQYCf501Bt5lb6GmZd0xfpg27fPIfzZPL8o+E756D3ZcNXUaLj4HPRKnwNcdAtChL2jESH3fm8PyNwBI7tV6IOjmOGpyQKtmJq3IyNgms=', From a4cd67c72dacd1cfe7c33254d12ddaa9a07d72e6 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 16 Jan 2018 14:03:11 +0100 Subject: [PATCH 060/246] add Solaris to supported platforms, fixes #219 --- metadata.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/metadata.json b/metadata.json index ab9181c9..5948c1bd 100644 --- a/metadata.json +++ b/metadata.json @@ -30,6 +30,9 @@ { "operatingsystem": "Gentoo" }, + { + "operatingsystem": "Solaris" + }, { "operatingsystem": "ArchLinux" } From 14b48e2e11ce265bcf60f564eb198c429cb94be6 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 16 Jan 2018 14:09:08 +0100 Subject: [PATCH 061/246] ensure = absent should remove keys and not fail with an error, fixes #220 --- manifests/server/host_key.pp | 89 ++++++++++++++++++++++++------------ 1 file changed, 60 insertions(+), 29 deletions(-) diff --git a/manifests/server/host_key.pp b/manifests/server/host_key.pp index e36e68aa..8e09b9bc 100644 --- a/manifests/server/host_key.pp +++ b/manifests/server/host_key.pp @@ -45,10 +45,10 @@ $certificate_source = '', $certificate_content = '', ) { - if $public_key_source == '' and $public_key_content == '' { + if $public_key_source == '' and $public_key_content == '' and $ensure == 'present' { fail('You must provide either public_key_source or public_key_content parameter') } - if $private_key_source == '' and $private_key_content == '' { + if $private_key_source == '' and $private_key_content == '' and $ensure == 'present' { fail('You must provide either private_key_source or private_key_content parameter') } @@ -79,38 +79,69 @@ default => $certificate_source, } - file {"${name}_pub": - ensure => $ensure, - owner => 'root', - group => 'root', - mode => '0644', - path => "${::ssh::params::sshd_dir}/${name}.pub", - source => $manage_pub_key_source, - content => $manage_pub_key_content, - notify => Class['ssh::server::service'], - } - - file {"${name}_priv": - ensure => $ensure, - owner => 'root', - group => $::ssh::params::host_priv_key_group, - mode => '0600', - path => "${::ssh::params::sshd_dir}/${name}", - source => $manage_priv_key_source, - content => $manage_priv_key_content, - notify => Class['ssh::server::service'], - } - - if !empty($certificate_source) or !empty($certificate_content) { - file {"${name}_cert": + if $ensure == 'present' { + file {"${name}_pub": ensure => $ensure, owner => 'root', group => 'root', mode => '0644', - path => "${::ssh::params::sshd_dir}/${name}-cert.pub", - source => $manage_cert_source, - content => $manage_cert_content, + path => "${::ssh::params::sshd_dir}/${name}.pub", + source => $manage_pub_key_source, + content => $manage_pub_key_content, notify => Class['ssh::server::service'], } + + file {"${name}_priv": + ensure => $ensure, + owner => 'root', + group => $::ssh::params::host_priv_key_group, + mode => '0600', + path => "${::ssh::params::sshd_dir}/${name}", + source => $manage_priv_key_source, + content => $manage_priv_key_content, + notify => Class['ssh::server::service'], + } + } else { + file {"${name}_pub": + ensure => $ensure, + owner => 'root', + group => 'root', + mode => '0644', + path => "${::ssh::params::sshd_dir}/${name}.pub", + notify => Class['ssh::server::service'], + } + + file {"${name}_priv": + ensure => $ensure, + owner => 'root', + group => $::ssh::params::host_priv_key_group, + mode => '0600', + path => "${::ssh::params::sshd_dir}/${name}", + notify => Class['ssh::server::service'], + } + } + + if !empty($certificate_source) or !empty($certificate_content) { + if $ensure == 'present' { + file {"${name}_cert": + ensure => $ensure, + owner => 'root', + group => 'root', + mode => '0644', + path => "${::ssh::params::sshd_dir}/${name}-cert.pub", + source => $manage_cert_source, + content => $manage_cert_content, + notify => Class['ssh::server::service'], + } + } else { + file {"${name}_cert": + ensure => $ensure, + owner => 'root', + group => 'root', + mode => '0644', + path => "${::ssh::params::sshd_dir}/${name}-cert.pub", + notify => Class['ssh::server::service'], + } + } } } From fb2de7592b5a75930a6eefb283ce070a3051d9d2 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 16 Jan 2018 14:37:23 +0100 Subject: [PATCH 062/246] fix version facts on SunOS, fixes #230 --- lib/facter/ssh_client_version.rb | 4 ++-- lib/facter/ssh_server_version.rb | 4 ++-- .../util/fact_ssh_client_version_spec.rb | 17 +++++++++++++---- .../util/fact_ssh_server_version_spec.rb | 19 ++++++++++++++----- 4 files changed, 31 insertions(+), 13 deletions(-) diff --git a/lib/facter/ssh_client_version.rb b/lib/facter/ssh_client_version.rb index 856106a4..830986e1 100644 --- a/lib/facter/ssh_client_version.rb +++ b/lib/facter/ssh_client_version.rb @@ -6,11 +6,11 @@ version = Facter::Util::Resolution.exec('ssh -V 2>&1'). lines. to_a. - select { |line| line.match(%r{^OpenSSH_}) }. + select { |line| line.match(%r{^OpenSSH_|^Sun_SSH_}) }. first. rstrip - version.gsub(%r{^OpenSSH_([^ ]+).*$}, '\1') unless version.nil? + version.gsub(%r{^(OpenSSH_|Sun_SSH_)([^ ,]+).*$}, '\2') unless version.nil? end end end diff --git a/lib/facter/ssh_server_version.rb b/lib/facter/ssh_server_version.rb index ed9dc4f1..10e63d89 100644 --- a/lib/facter/ssh_server_version.rb +++ b/lib/facter/ssh_server_version.rb @@ -9,11 +9,11 @@ version = Facter::Util::Resolution.exec('sshd -V 2>&1'). lines. to_a. - select { |line| line.match(%r{^OpenSSH_}) }. + select { |line| line.match(%r{^OpenSSH_|^Sun_SSH_}) }. first. rstrip - version.gsub(%r{^OpenSSH_([^ ]+).*$}, '\1') unless version.nil? + version.gsub(%r{^(OpenSSH_|Sun_SSH_)([^ ,]+).*$}, '\2') unless version.nil? end end end diff --git a/spec/unit/facter/util/fact_ssh_client_version_spec.rb b/spec/unit/facter/util/fact_ssh_client_version_spec.rb index b0438fe9..76f2c55b 100644 --- a/spec/unit/facter/util/fact_ssh_client_version_spec.rb +++ b/spec/unit/facter/util/fact_ssh_client_version_spec.rb @@ -1,12 +1,10 @@ require 'spec_helper' describe 'ssh_client_version_full' do - before do - Facter.clear - Facter.fact(:kernel).stubs(:value).returns('linux') - end context 'when on a Linux host' do before do + Facter.clear + Facter.fact(:kernel).stubs(:value).returns('linux') Facter::Util::Resolution.stubs(:which).with('ssh').returns('/usr/bin/ssh') Facter::Util::Resolution.stubs(:exec).with('ssh -V 2>&1').returns('OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014') end @@ -14,4 +12,15 @@ expect(Facter.fact(:ssh_client_version_full).value).to eq('6.6.1p1') end end + context 'when on a SunOS host' do + before do + Facter.clear + Facter.fact(:kernel).stubs(:value).returns('SunOS') + Facter::Util::Resolution.stubs(:which).with('ssh').returns('/usr/bin/ssh') + Facter::Util::Resolution.stubs(:exec).with('ssh -V 2>&1').returns('Sun_SSH_2.4, SSH protocols 1.5/2.0, OpenSSL 0x100020bf') + end + it 'execs ssh -V and returns full version number' do + expect(Facter.fact(:ssh_client_version_full).value).to eq('2.4') + end + end end diff --git a/spec/unit/facter/util/fact_ssh_server_version_spec.rb b/spec/unit/facter/util/fact_ssh_server_version_spec.rb index 9afe8be7..d4030b3b 100644 --- a/spec/unit/facter/util/fact_ssh_server_version_spec.rb +++ b/spec/unit/facter/util/fact_ssh_server_version_spec.rb @@ -1,17 +1,26 @@ require 'spec_helper' describe 'ssh_server_version_full' do - before do - Facter.clear - Facter.fact(:kernel).stubs(:value).returns('linux') - end context 'when on a Linux host' do before do + Facter.clear + Facter.fact(:kernel).stubs(:value).returns('linux') Facter::Util::Resolution.stubs(:which).with('sshd').returns('/usr/sbin/sshd') Facter::Util::Resolution.stubs(:exec).with('sshd -V 2>&1').returns('OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014') end - it 'execs sshd -V' do + it 'execs sshd -V and returns full version number' do expect(Facter.fact(:ssh_server_version_full).value).to eq('6.6.1p1') end end + context 'when on a SunOS host' do + before do + Facter.clear + Facter.fact(:kernel).stubs(:value).returns('SunOS') + Facter::Util::Resolution.stubs(:which).with('sshd').returns('/usr/bin/sshd') + Facter::Util::Resolution.stubs(:exec).with('sshd -V 2>&1').returns('Sun_SSH_2.4, SSH protocols 1.5/2.0, OpenSSL 0x100020bf') + end + it 'execs sshd -V and returns full version number' do + expect(Facter.fact(:ssh_server_version_full).value).to eq('2.4') + end + end end From 87784797470c30e4a57c3b5ce00e16cb539b1dbe Mon Sep 17 00:00:00 2001 From: Philippe Muller Date: Mon, 19 Feb 2018 14:53:48 +0800 Subject: [PATCH 063/246] Use variable typing instead of legacy validate_*() functions --- manifests/client.pp | 12 ++++---- manifests/client/config/user.pp | 16 +++------- manifests/hostkeys.pp | 7 ++--- manifests/init.pp | 41 +++++++++---------------- manifests/server.pp | 22 ++++++------- metadata.json | 2 +- spec/defines/client/config/user_spec.rb | 10 +++--- 7 files changed, 45 insertions(+), 65 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index 5a2a3c8f..ef6dadec 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,13 +1,13 @@ class ssh::client( - $ensure = present, - $storeconfigs_enabled = true, - $options = {}, - $use_augeas = false, - $options_absent = [], + String $ensure = present, + Boolean $storeconfigs_enabled = true, + Hash $options = {}, + Boolean $use_augeas = false, + Array $options_absent = [], ) inherits ssh::params { # Merge hashes from multiple layer of hierarchy in hiera - $hiera_options = hiera_hash("${module_name}::client::options", undef) + $hiera_options = lookup("${module_name}::client::options", Optional[Hash], 'hash', undef) $fin_options = $hiera_options ? { undef => $options, diff --git a/manifests/client/config/user.pp b/manifests/client/config/user.pp index 0c7b3836..871506a8 100644 --- a/manifests/client/config/user.pp +++ b/manifests/client/config/user.pp @@ -3,17 +3,13 @@ # Contributor: Remi Ferrand (2015) # define ssh::client::config::user( - $ensure = present, - $target = undef, - $user_home_dir = undef, - $manage_user_ssh_dir = true, - $options = {} + Enum['present', 'absent'] $ensure = present, + Optional[Stdlib::Absolutepath] $target = undef, + Optional[Stdlib::Absolutepath] $user_home_dir = undef, + Boolean $manage_user_ssh_dir = true, + Hash $options = {} ) { - validate_re($ensure, '^(present|absent)$') - validate_hash($options) - validate_bool($manage_user_ssh_dir) - include ::ssh::params $_files_ensure = $ensure ? { 'present' => 'file', 'absent' => 'absent' } @@ -22,7 +18,6 @@ # it must have higher priority than any # other parameter. if ($target != undef) { - validate_absolute_path($target) $_target = $target } else { @@ -30,7 +25,6 @@ $_user_home_dir = "/home/${name}" } else { - validate_absolute_path($user_home_dir) $_user_home_dir = $user_home_dir } diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index 1a07c7e0..18689ccc 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -1,10 +1,9 @@ # Class ssh::hostkeys class ssh::hostkeys( - $export_ipaddresses = true, - $storeconfigs_group = undef, - $extra_aliases = [], + Boolean $export_ipaddresses = true, + Optional[String] $storeconfigs_group = undef, + Array $extra_aliases = [], ) { - validate_array($extra_aliases) if $export_ipaddresses == true { $ipaddresses = ipaddresses() diff --git a/manifests/init.pp b/manifests/init.pp index 02644405..6143024d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,34 +1,23 @@ # Main file for puppet-ssh class ssh ( - $server_options = {}, - $server_match_block = {}, - $client_options = {}, - $users_client_options = {}, - $version = 'present', - $storeconfigs_enabled = true, - $validate_sshd_file = $::ssh::params::validate_sshd_file, - $use_augeas = false, - $server_options_absent = [], - $client_options_absent = [], - $use_issue_net = false, + Hash $server_options = {}, + Hash $server_match_block = {}, + Hash $client_options = {}, + Hash $users_client_options = {}, + String $version = 'present', + Boolean $storeconfigs_enabled = true, + Boolean $validate_sshd_file = $::ssh::params::validate_sshd_file, + Boolean $use_augeas = false, + Array $server_options_absent = [], + Array $client_options_absent = [], + Boolean $use_issue_net = false, ) inherits ssh::params { - validate_hash($server_options) - validate_hash($server_match_block) - validate_hash($client_options) - validate_hash($users_client_options) - validate_bool($storeconfigs_enabled) - validate_bool($validate_sshd_file) - validate_bool($use_augeas) - validate_array($server_options_absent) - validate_array($client_options_absent) - validate_bool($use_issue_net) - # Merge hashes from multiple layer of hierarchy in hiera - $hiera_server_options = hiera_hash("${module_name}::server_options", undef) - $hiera_server_match_block = hiera_hash("${module_name}::server_match_block", undef) - $hiera_client_options = hiera_hash("${module_name}::client_options", undef) - $hiera_users_client_options = hiera_hash("${module_name}::users_client_options", undef) + $hiera_server_options = lookup("${module_name}::server_options", Optional[Hash], 'hash', undef) + $hiera_server_match_block = lookup("${module_name}::server_match_block", Optional[Hash], 'hash', undef) + $hiera_client_options = lookup("${module_name}::client_options", Optional[Hash], 'hash', undef) + $hiera_users_client_options = lookup("${module_name}::users_client_options", Optional[Hash], 'hash', undef) $fin_server_options = $hiera_server_options ? { undef => $server_options, diff --git a/manifests/server.pp b/manifests/server.pp index 16cdb707..73fa104f 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,19 +1,17 @@ class ssh::server( - $ensure = present, - $storeconfigs_enabled = true, - $options = {}, - $validate_sshd_file = false, - $use_augeas = false, - $options_absent = [], - $match_block = {}, - $use_issue_net = false + String $ensure = present, + Boolean $storeconfigs_enabled = true, + Hash $options = {}, + Boolean $validate_sshd_file = false, + Boolean $use_augeas = false, + Array $options_absent = [], + Hash $match_block = {}, + Boolean $use_issue_net = false ) inherits ssh::params { - validate_hash($match_block) - # Merge hashes from multiple layer of hierarchy in hiera - $hiera_options = hiera_hash("${module_name}::server::options", undef) - $hiera_match_block = hiera_hash("${module_name}::server::match_block", undef) + $hiera_options = lookup("${module_name}::server::options", Optional[Hash], 'hash', undef) + $hiera_match_block = lookup("${module_name}::server::match_block", Optional[Hash], 'hash', undef) $fin_match_block = $hiera_match_block ? { undef => $match_block, diff --git a/metadata.json b/metadata.json index 5948c1bd..d4c088dd 100644 --- a/metadata.json +++ b/metadata.json @@ -54,7 +54,7 @@ "dependencies": [ { "name": "puppetlabs/stdlib", - "version_requirement": ">= 4.6.0 < 5.0.0" + "version_requirement": ">= 4.24.0 < 5.0.0" }, { "name": "puppetlabs/concat", diff --git a/spec/defines/client/config/user_spec.rb b/spec/defines/client/config/user_spec.rb index d7d474b3..d6fb971d 100644 --- a/spec/defines/client/config/user_spec.rb +++ b/spec/defines/client/config/user_spec.rb @@ -25,11 +25,11 @@ describe 'with invalid parameters' do params = { - ensure: ['somestate', 'does not'], - target: ['./somedir', 'is not an absolute path'], - user_home_dir: ['./somedir', 'is not an absolute path'], - manage_user_ssh_dir: ['maybe', 'is not a boolean'], - options: ['the_options', 'is not a Hash'] + ensure: ['somestate', 'expects a match for Enum'], + target: ['./somedir', 'Pattern'], + user_home_dir: ['./somedir', 'Pattern'], + manage_user_ssh_dir: ['maybe', 'expects a Boolean'], + options: ['the_options', 'expects a value of type Undef or Hash'] } params.each do |param, value| From c9e41f19898b39efc626fe5b43f43299aec0b91b Mon Sep 17 00:00:00 2001 From: Philippe Muller Date: Mon, 19 Feb 2018 14:55:04 +0800 Subject: [PATCH 064/246] Stop running tests on Puppet 3 --- .travis.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index f5cd2dd9..31896c48 100644 --- a/.travis.yml +++ b/.travis.yml @@ -14,8 +14,6 @@ script: matrix: fast_finish: true include: - - rvm: 2.1 - env: PUPPET_VERSION="~> 3.0" STRICT_VARIABLES="yes" CHECK=test - rvm: 2.1 env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=test - rvm: 2.2 From c79a1d127eeb38162164d681392e15bc582c5b12 Mon Sep 17 00:00:00 2001 From: Philippe Muller Date: Mon, 19 Feb 2018 15:02:23 +0800 Subject: [PATCH 065/246] Update required Puppet version --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index d4c088dd..66098f6b 100644 --- a/metadata.json +++ b/metadata.json @@ -40,7 +40,7 @@ "requirements": [ { "name": "puppet", - "version_requirement": ">= 3.0.0 < 5.0.0" + "version_requirement": ">= 4.10.10 < 5.0.0" } ], "name": "saz-ssh", From 2b38170466006fbb6137d219e8340c58191e7ab0 Mon Sep 17 00:00:00 2001 From: Philippe Muller Date: Mon, 19 Feb 2018 15:31:47 +0800 Subject: [PATCH 066/246] Fix test: remove comma after last hash item --- spec/defines/client/config/user_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/defines/client/config/user_spec.rb b/spec/defines/client/config/user_spec.rb index d6fb971d..f63b7104 100644 --- a/spec/defines/client/config/user_spec.rb +++ b/spec/defines/client/config/user_spec.rb @@ -19,7 +19,7 @@ { osfamily: 'RedHat', operatingsystemmajrelease: '6', - concat_basedir: '/tmp', + concat_basedir: '/tmp' } end From 07ca8154291313df22ecc2cfb6c02b761b75bb90 Mon Sep 17 00:00:00 2001 From: Philippe Muller Date: Mon, 19 Feb 2018 15:33:45 +0800 Subject: [PATCH 067/246] Update error message pattern to pass test with older Puppet versions --- spec/defines/client/config/user_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/defines/client/config/user_spec.rb b/spec/defines/client/config/user_spec.rb index f63b7104..cc85967a 100644 --- a/spec/defines/client/config/user_spec.rb +++ b/spec/defines/client/config/user_spec.rb @@ -29,7 +29,7 @@ target: ['./somedir', 'Pattern'], user_home_dir: ['./somedir', 'Pattern'], manage_user_ssh_dir: ['maybe', 'expects a Boolean'], - options: ['the_options', 'expects a value of type Undef or Hash'] + options: ['the_options', 'Hash value'] } params.each do |param, value| From 5c3821ab055201d5778022888392de31ac93efff Mon Sep 17 00:00:00 2001 From: Philippe Muller Date: Mon, 19 Feb 2018 15:42:59 +0800 Subject: [PATCH 068/246] Ignore EmptyLinesAroundArguments rubocop error for configuration files content --- spec/classes/server_spec.rb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index 907e73f3..330870f2 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -39,6 +39,7 @@ it do is_expected.to contain_concat__fragment('global config').with( target: '/etc/ssh/sshd_config', + # rubocop:disable EmptyLinesAroundArguments content: '# File is managed by Puppet AcceptEnv LANG LC_* @@ -50,6 +51,7 @@ UsePAM yes X11Forwarding yes ' + # rubocop:enable EmptyLinesAroundArguments ) end end @@ -108,6 +110,7 @@ it do is_expected.to contain_concat__fragment('global config').with( target: '/etc/ssh/sshd_config', + # rubocop:disable EmptyLinesAroundArguments content: '# File is managed by Puppet AcceptEnv LANG LC_* @@ -117,6 +120,7 @@ UsePAM yes X11Forwarding yes ' + # rubocop:enable EmptyLinesAroundArguments ) end end @@ -162,6 +166,7 @@ it do is_expected.to contain_concat__fragment('global config').with( target: '/etc/ssh/sshd_config', + # rubocop:disable EmptyLinesAroundArguments content: '# File is managed by Puppet AcceptEnv LANG LC_* @@ -171,6 +176,7 @@ UsePAM yes X11Forwarding yes ' + # rubocop:enable EmptyLinesAroundArguments ) end end From 96952d4aff023ed04fced7b9effc5b8e141d6fe4 Mon Sep 17 00:00:00 2001 From: Philippe Muller Date: Sat, 24 Feb 2018 19:07:57 +0800 Subject: [PATCH 069/246] Make tests pass for Puppet 5 too --- .travis.yml | 4 ++++ manifests/server/host_key.pp | 4 ++++ metadata.json | 2 +- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 31896c48..742b81c8 100644 --- a/.travis.yml +++ b/.travis.yml @@ -22,6 +22,10 @@ matrix: env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=rubocop - rvm: 2.3.1 env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=build FORGEDEPLOY=true + - rvm: 2.3.1 + env: PUPPET_VERSION="~> 5.0" STRICT_VARIABLES="yes" CHECK=test + - rvm: 2.3.1 + env: PUPPET_VERSION="~> 5.0" STRICT_VARIABLES="yes" CHECK=rubocop notifications: email: false deploy: diff --git a/manifests/server/host_key.pp b/manifests/server/host_key.pp index 8e09b9bc..388e710d 100644 --- a/manifests/server/host_key.pp +++ b/manifests/server/host_key.pp @@ -45,6 +45,10 @@ $certificate_source = '', $certificate_content = '', ) { + + # Ensure the ssh::server class is included in the manifest + include ::ssh::server + if $public_key_source == '' and $public_key_content == '' and $ensure == 'present' { fail('You must provide either public_key_source or public_key_content parameter') } diff --git a/metadata.json b/metadata.json index 66098f6b..07aee0e2 100644 --- a/metadata.json +++ b/metadata.json @@ -40,7 +40,7 @@ "requirements": [ { "name": "puppet", - "version_requirement": ">= 4.10.10 < 5.0.0" + "version_requirement": ">= 4.10.10 < 6.0.0" } ], "name": "saz-ssh", From 688f0c50adb7e7d7794825c81286aa96d30183d0 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sun, 3 Jun 2018 14:46:35 +0200 Subject: [PATCH 070/246] update rubocop config --- .rubocop.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.rubocop.yml b/.rubocop.yml index 478ec6d8..5860cfd3 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -315,7 +315,10 @@ Style/StringLiterals: Style/TrailingCommaInArguments: Enabled: true -Style/TrailingCommaInLiteral: +Style/TrailingCommaInArrayLiteral: + Enabled: true + +Style/TrailingCommaInHashLiteral: Enabled: true Style/GlobalVars: From a9c6cd83a3e2b8dc67db9a05bb0d4e13739a281e Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sun, 3 Jun 2018 14:58:50 +0200 Subject: [PATCH 071/246] make class params look a little better --- manifests/client.pp | 8 ++++---- manifests/client/config/user.pp | 10 +++++----- manifests/hostkeys.pp | 4 ++-- manifests/init.pp | 22 +++++++++++----------- manifests/knownhosts.pp | 4 ++-- manifests/server.pp | 14 +++++++------- manifests/server/host_key.pp | 10 +++++----- manifests/server/service.pp | 4 ++-- 8 files changed, 38 insertions(+), 38 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index ef6dadec..124e4ea3 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,9 +1,9 @@ class ssh::client( - String $ensure = present, + String $ensure = present, Boolean $storeconfigs_enabled = true, - Hash $options = {}, - Boolean $use_augeas = false, - Array $options_absent = [], + Hash $options = {}, + Boolean $use_augeas = false, + Array $options_absent = [], ) inherits ssh::params { # Merge hashes from multiple layer of hierarchy in hiera diff --git a/manifests/client/config/user.pp b/manifests/client/config/user.pp index 871506a8..9c59f89d 100644 --- a/manifests/client/config/user.pp +++ b/manifests/client/config/user.pp @@ -3,11 +3,11 @@ # Contributor: Remi Ferrand (2015) # define ssh::client::config::user( - Enum['present', 'absent'] $ensure = present, - Optional[Stdlib::Absolutepath] $target = undef, - Optional[Stdlib::Absolutepath] $user_home_dir = undef, - Boolean $manage_user_ssh_dir = true, - Hash $options = {} + Enum['present', 'absent'] $ensure = present, + Optional[Stdlib::Absolutepath] $target = undef, + Optional[Stdlib::Absolutepath] $user_home_dir = undef, + Boolean $manage_user_ssh_dir = true, + Hash $options = {} ) { include ::ssh::params diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index 18689ccc..909946e2 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -1,8 +1,8 @@ # Class ssh::hostkeys class ssh::hostkeys( - Boolean $export_ipaddresses = true, + Boolean $export_ipaddresses = true, Optional[String] $storeconfigs_group = undef, - Array $extra_aliases = [], + Array $extra_aliases = [], ) { if $export_ipaddresses == true { diff --git a/manifests/init.pp b/manifests/init.pp index 6143024d..67b65585 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,16 +1,16 @@ # Main file for puppet-ssh class ssh ( - Hash $server_options = {}, - Hash $server_match_block = {}, - Hash $client_options = {}, - Hash $users_client_options = {}, - String $version = 'present', - Boolean $storeconfigs_enabled = true, - Boolean $validate_sshd_file = $::ssh::params::validate_sshd_file, - Boolean $use_augeas = false, - Array $server_options_absent = [], - Array $client_options_absent = [], - Boolean $use_issue_net = false, + Hash $server_options = {}, + Hash $server_match_block = {}, + Hash $client_options = {}, + Hash $users_client_options = {}, + String $version = 'present', + Boolean $storeconfigs_enabled = true, + Boolean $validate_sshd_file = $::ssh::params::validate_sshd_file, + Boolean $use_augeas = false, + Array $server_options_absent = [], + Array $client_options_absent = [], + Boolean $use_issue_net = false, ) inherits ssh::params { # Merge hashes from multiple layer of hierarchy in hiera diff --git a/manifests/knownhosts.pp b/manifests/knownhosts.pp index 1df84036..555a8878 100644 --- a/manifests/knownhosts.pp +++ b/manifests/knownhosts.pp @@ -1,6 +1,6 @@ class ssh::knownhosts( - $collect_enabled = $ssh::params::collect_enabled, - $storeconfigs_group = undef, + Boolean $collect_enabled = $ssh::params::collect_enabled, + Optional[String] $storeconfigs_group = undef, ) inherits ssh::params { if ($collect_enabled) { resources { 'sshkey': diff --git a/manifests/server.pp b/manifests/server.pp index 73fa104f..36d294ce 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,12 +1,12 @@ class ssh::server( - String $ensure = present, + String $ensure = present, Boolean $storeconfigs_enabled = true, - Hash $options = {}, - Boolean $validate_sshd_file = false, - Boolean $use_augeas = false, - Array $options_absent = [], - Hash $match_block = {}, - Boolean $use_issue_net = false + Hash $options = {}, + Boolean $validate_sshd_file = false, + Boolean $use_augeas = false, + Array $options_absent = [], + Hash $match_block = {}, + Boolean $use_issue_net = false ) inherits ssh::params { # Merge hashes from multiple layer of hierarchy in hiera diff --git a/manifests/server/host_key.pp b/manifests/server/host_key.pp index 388e710d..217ede81 100644 --- a/manifests/server/host_key.pp +++ b/manifests/server/host_key.pp @@ -37,12 +37,12 @@ # Note certificate_source and certificate_content are mutually exclusive. # define ssh::server::host_key ( - $ensure = 'present', - $public_key_source = '', - $public_key_content = '', - $private_key_source = '', + $ensure = 'present', + $public_key_source = '', + $public_key_content = '', + $private_key_source = '', $private_key_content = '', - $certificate_source = '', + $certificate_source = '', $certificate_content = '', ) { diff --git a/manifests/server/service.pp b/manifests/server/service.pp index 619a1982..bc278e0e 100644 --- a/manifests/server/service.pp +++ b/manifests/server/service.pp @@ -1,6 +1,6 @@ class ssh::server::service ( - $ensure = 'running', - $enable = true + String $ensure = 'running', + Boolean $enable = true ){ include ::ssh::params include ::ssh::server From 3b31a4a3307636102f3f0d5c950808b75dd5a6d2 Mon Sep 17 00:00:00 2001 From: Mike Baynton Date: Sun, 10 Jun 2018 13:07:10 -0500 Subject: [PATCH 072/246] Add parameter for sshkey resource purging. --- manifests/init.pp | 30 +++++++++++++++++++----------- manifests/knownhosts.pp | 4 ---- spec/classes/init_spec.rb | 33 +++++++++++++++++++++++++++++++++ 3 files changed, 52 insertions(+), 15 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 67b65585..cdbe2d03 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,16 +1,17 @@ # Main file for puppet-ssh class ssh ( - Hash $server_options = {}, - Hash $server_match_block = {}, - Hash $client_options = {}, - Hash $users_client_options = {}, - String $version = 'present', - Boolean $storeconfigs_enabled = true, - Boolean $validate_sshd_file = $::ssh::params::validate_sshd_file, - Boolean $use_augeas = false, - Array $server_options_absent = [], - Array $client_options_absent = [], - Boolean $use_issue_net = false, + Hash $server_options = {}, + Hash $server_match_block = {}, + Hash $client_options = {}, + Hash $users_client_options = {}, + String $version = 'present', + Boolean $storeconfigs_enabled = true, + Boolean $validate_sshd_file = $::ssh::params::validate_sshd_file, + Boolean $use_augeas = false, + Array $server_options_absent = [], + Array $client_options_absent = [], + Boolean $use_issue_net = false, + Boolean $purge_unmanaged_sshkeys = true, ) inherits ssh::params { # Merge hashes from multiple layer of hierarchy in hiera @@ -61,6 +62,13 @@ options_absent => $client_options_absent, } + # If host keys are being managed, optionally purge unmanaged ones as well. + if ($storeconfigs_enabled and $purge_unmanaged_sshkeys) { + resources { 'sshkey': + purge => true, + } + } + create_resources('::ssh::client::config::user', $fin_users_client_options) create_resources('::ssh::server::match_block', $fin_server_match_block) } diff --git a/manifests/knownhosts.pp b/manifests/knownhosts.pp index 555a8878..3ffdbe47 100644 --- a/manifests/knownhosts.pp +++ b/manifests/knownhosts.pp @@ -3,10 +3,6 @@ Optional[String] $storeconfigs_group = undef, ) inherits ssh::params { if ($collect_enabled) { - resources { 'sshkey': - purge => true, - } - if $storeconfigs_group { Sshkey <<| tag == "hostkey_${storeconfigs_group}" |>> } else { diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 4c7b594c..8a8ebab5 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -30,6 +30,10 @@ is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd(nil) end + it do + is_expected.to contain_resources('sshkey').with_purge(true) + end + context 'when on Debian with the validate_sshd_file setting' do let :facts do { @@ -62,4 +66,33 @@ end end end + + standard_facts = { + osfamily: 'Debian', + interfaces: 'eth0', + ipaddress_eth0: '192.168.1.1', + ipaddress6_eth0: '::1', + concat_basedir: '/tmp', + puppetversion: '3.7.0', + sshdsakey: 'AAAAB3NzaC1kc3MAAACBAODCvvUUnv2imW4cfuLBWVJTLMzds89MtCUXGl3+7Gza5QYJmp7GSkKBnV8+7XI+JAmjv0RKQM1RAn7mV5UplRTtg3CYbeNkX4IakZmNJLTdL4vUyIehhaxBobpOtBaJfFewCJE1plIaWvoWfEDrShcjIUbUbJMfR8YWweIIqp9bAAAAFQCr8+KRfOUZbS9Dz1t15A/Owl61VQAAAIBr/7hNPCvjzAl5+rde6jUR5k20pxAE+z2wsaZxlhrs6ZhhplyCKIXKq4rCx4QuFVPh/c+WJRPO56iH/rSh5Y5cpT1LUk66wNJcOBPprjvDEHfQUHUmfYXzNJ2BHkRL78lfzQr52YyowV6dHfktv0VsIctm13KcMr2KQygZtV6EqgAAAIEAjNC4PRdzYpWfxu268CJDpexlhBwIkIx+ovEibtYeke55qAQcF9UWko4A1c8Wf4nLLxlQYCf501Bt5lb6GmZd0xfpg27fPIfzZPL8o+E756D3ZcNXUaLj4HPRKnwNcdAtChL2jESH3fm8PyNwBI7tV6IOjmOGpyQKtmJq3IyNgms=', + sshrsakey: 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDzA57hAMwz6pywCgxNUcloWeNMvBo2PDPxK2RCegst+9tYaf4S3shnM9a1j2PGBoeRXTuUG6mYB32fJm6/37UUUJA4lT+8CZ3hNnDZU9aitpukkKon7RIlvY1PWO8wT4A5mEa0hfdQg6Um8KZZUs+jrB+8zMJO/X0fmleY54r/JKrP3hNcpaJpTUVQEvMmKacW7nYez/PvWKAz8d02uAOXuauGKhZ9K2AHYKlQFqJ4S1jLiduoGFWxFQ2vQybbN/O0PQQU7EZlHIjSzwoowZLzlxCKCZcKnoDsbGCtYHArbjxTb+m5e7nvsamz7TXLoY90Srmc5QGMxrLUlSvkYsm5', + sshecdsakey: 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDrof0LPA0hGuwODy+5uTynV7rgPJspvZo2TzykBu5mSANJvdL1z5/JS3x16/c/cDjx2lfEkRoVDnon4/NjKEM=', + sshed25519key: '', + id: 'root', + is_pe: false, + path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games' + } + + context 'When on Debian without resource purging' do + let :facts do + standard_facts + end + let :params do + { 'purge_unmanaged_sshkeys' => false } + end + + it do + is_expected.not_to contain_resources('sshkey') + end + end end From 74171c0591943afd21266e8f59c4594256bfad7b Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Mon, 27 Feb 2017 13:03:13 +0100 Subject: [PATCH 073/246] introduce puppet4 types to client::config::user This required some adjustments to the tests. Also the metadata.json got updated. The first recommended puppet 4 version is 4.6.1. stdlib got updated to the version that ships the AbsolutePath datatype --- manifests/client/config/user.pp | 3 +++ spec/defines/client/config/user_spec.rb | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/manifests/client/config/user.pp b/manifests/client/config/user.pp index 9c59f89d..5b2dd20b 100644 --- a/manifests/client/config/user.pp +++ b/manifests/client/config/user.pp @@ -1,6 +1,7 @@ # # Copyright (c) IN2P3 Computing Centre, IN2P3, CNRS # Contributor: Remi Ferrand (2015) +# Contributor: Tim Meusel (2017) # define ssh::client::config::user( Enum['present', 'absent'] $ensure = present, @@ -10,6 +11,7 @@ Hash $options = {} ) { + include ::ssh::params $_files_ensure = $ensure ? { 'present' => 'file', 'absent' => 'absent' } @@ -47,4 +49,5 @@ mode => $::ssh::params::user_ssh_config_default_mode, content => template("${module_name}/ssh_config.erb"), } + } diff --git a/spec/defines/client/config/user_spec.rb b/spec/defines/client/config/user_spec.rb index cc85967a..7ee14c1f 100644 --- a/spec/defines/client/config/user_spec.rb +++ b/spec/defines/client/config/user_spec.rb @@ -42,8 +42,8 @@ it 'fails' do expect do - is_expected.to compile - end.to raise_error(%r{#{value[1]}}) + is_expected.to not_compile + end end end end From 602b12a455653a03862d43f8601cf93d0bae3763 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Wed, 1 Mar 2017 11:18:12 +0100 Subject: [PATCH 074/246] migrate from file resource to concat this allows us to use this defined type as often as we want (which is the purpose of a defined type). Each usage of it creates an entry in $user/.ssh/config. This is not a breaking change since you can still use the resource as before. However, you can now call it multiple types by setting a unique name for it + providing user => $user as a parameter. Use case: define a block in each puppet profile you have. Notice: I needed to bump the concat dependency by a major release, this means that the next release of this software also should be a major one, even if the API of this module has no breaking changes. --- manifests/client/config/user.pp | 32 +++++++++++++++++++------------- metadata.json | 2 +- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/manifests/client/config/user.pp b/manifests/client/config/user.pp index 5b2dd20b..7ea0f5f7 100644 --- a/manifests/client/config/user.pp +++ b/manifests/client/config/user.pp @@ -14,8 +14,6 @@ include ::ssh::params - $_files_ensure = $ensure ? { 'present' => 'file', 'absent' => 'absent' } - # If a specific target file was specified, # it must have higher priority than any # other parameter. @@ -24,7 +22,7 @@ } else { if ($user_home_dir == undef) { - $_user_home_dir = "/home/${name}" + $_user_home_dir = "/home/${user}" } else { $_user_home_dir = $user_home_dir @@ -34,20 +32,28 @@ $_target = "${user_ssh_dir}/config" if ($manage_user_ssh_dir == true) { - file { $user_ssh_dir: - ensure => directory, - owner => $name, - mode => $::ssh::params::user_ssh_directory_default_mode, - before => File[$_target], + unless defined(File[$user_ssh_dir]) { + file { $user_ssh_dir: + ensure => directory, + owner => $user, + mode => $::ssh::params::user_ssh_directory_default_mode, + before => Concat_file[$_target], + } } } } - file { $_target: - ensure => $_files_ensure, - owner => $name, - mode => $::ssh::params::user_ssh_config_default_mode, + unless defined(Concat_file[$_target]) { + concat_file{$_target: + ensure => $ensure, + owner => $user, + mode => $::ssh::params::user_ssh_config_default_mode, + tag => $user, + } + } + concat_fragment{$name: + tag => $user, content => template("${module_name}/ssh_config.erb"), + target => $_target, } - } diff --git a/metadata.json b/metadata.json index 07aee0e2..34b0e9e7 100644 --- a/metadata.json +++ b/metadata.json @@ -58,7 +58,7 @@ }, { "name": "puppetlabs/concat", - "version_requirement": ">= 1.2.5 < 5.0.0" + "version_requirement": ">= 2.2.0 < 5.0.0" } ] } From e3c494639ec4630f2ad658001b391757528fe953 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 3 Mar 2017 09:33:25 +0100 Subject: [PATCH 075/246] fix spec tests --- spec/defines/client/config/user_spec.rb | 45 ++++++++++++++++--------- 1 file changed, 30 insertions(+), 15 deletions(-) diff --git a/spec/defines/client/config/user_spec.rb b/spec/defines/client/config/user_spec.rb index 7ee14c1f..3fc5f57f 100644 --- a/spec/defines/client/config/user_spec.rb +++ b/spec/defines/client/config/user_spec.rb @@ -63,9 +63,14 @@ end it do - is_expected.to contain_file(target).with(ensure: 'file', - owner: title, - mode: '0600') + is_expected.to contain_concat_file(target).with( + ensure: 'present', + tag: title + ) + is_expected.to contain_concat_fragment(title).with( + tag: title, + target: target + ) end end # describe 'with a user provided target' @@ -84,13 +89,17 @@ end it 'contains ssh directory and ssh config' do - is_expected.to contain_file("#{user_home_dir}/.ssh").with(ensure: 'directory', - owner: title, - mode: '0700').that_comes_before("File[#{user_home_dir}/.ssh/config]") - - is_expected.to contain_file("#{user_home_dir}/.ssh/config").with(ensure: 'file', - owner: title, - mode: '0600') + is_expected.to contain_file("#{user_home_dir}/.ssh").with( + ensure: 'directory', + owner: title, + mode: '0700' + ).that_comes_before("Concat_file[#{user_home_dir}/.ssh/config]") + + is_expected.to contain_concat_file("#{user_home_dir}/.ssh/config").with( + ensure: 'present', + owner: title, + mode: '0600' + ) end end # context 'with manage_user_ssh_dir default value' @@ -113,8 +122,8 @@ context 'with no user provided user_home_dir' do it 'with manage_user_ssh_dir default value' do - is_expected.to contain_file("/home/#{title}/.ssh").that_comes_before("File[/home/#{title}/.ssh/config]") - is_expected.to contain_file("/home/#{title}/.ssh/config") + is_expected.to contain_file("/home/#{title}/.ssh").that_comes_before("Concat_file[/home/#{title}/.ssh/config]") + is_expected.to contain_concat_file("/home/#{title}/.ssh/config") end context 'with manage_user_ssh_dir set to false' do @@ -129,7 +138,7 @@ end it do - is_expected.to contain_file("/home/#{title}/.ssh/config") + is_expected.to contain_concat_file("/home/#{title}/.ssh/config") end end # context 'with manage_user_ssh_dir set to false' @@ -146,11 +155,17 @@ end it 'has single value' do - is_expected.to contain_file("/home/#{title}/.ssh/config").with(content: %r{HashKnownHosts\s+yes}) + is_expected.to contain_concat_fragment(title).with( + content: %r{HashKnownHosts\s+yes}, + target: "/home/#{title}/.ssh/config" + ) end it 'has Hash value' do - is_expected.to contain_file("/home/#{title}/.ssh/config").with(content: %r{Host \*\.in2p3\.fr\s*\n\s+GSSAPIAuthentication\s+no\s*\n\s+User\s+riton}) + is_expected.to contain_concat_fragment(title).with( + content: %r{Host \*\.in2p3\.fr\s*\n\s+GSSAPIAuthentication\s+no\s*\n\s+User\s+riton}, + target: "/home/#{title}/.ssh/config" + ) end end end From ffea4a853c47d7ab8f9665d1720ff2dc37ae6b3b Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 3 Mar 2017 09:36:55 +0100 Subject: [PATCH 076/246] enhance syntax highlighting in README.md --- README.md | 196 +++++++++++++++++++++++++++--------------------------- 1 file changed, 98 insertions(+), 98 deletions(-) diff --git a/README.md b/README.md index 89ad0885..81376e4a 100644 --- a/README.md +++ b/README.md @@ -22,10 +22,10 @@ client and server, configuration files. Multiple occurrences of one config key (e.g. sshd should be listening on port 22 and 2222) should be passed as an array. -``` - options => { - 'Port' => [22, 2222], - } +```puppet +options => { + 'Port' => [22, 2222], +} ``` This is working for both, client and server. @@ -34,44 +34,44 @@ This is working for both, client and server. Host keys will be collected and distributed unless `storeconfigs_enabled` is `false`. -``` - include ssh +```puppet +include ssh ``` or -``` - class { 'ssh': - storeconfigs_enabled => false, - server_options => { - 'Match User www-data' => { - 'ChrootDirectory' => '%h', - 'ForceCommand' => 'internal-sftp', - 'PasswordAuthentication' => 'yes', - 'AllowTcpForwarding' => 'no', - 'X11Forwarding' => 'no', - }, - 'Port' => [22, 2222, 2288], - }, - client_options => { - 'Host *.amazonaws.com' => { - 'User' => 'ec2-user', - }, - }, - users_client_options => { - 'bob' => { - options => { - 'Host *.alice.fr' => { - 'User' => 'alice', - }, - }, +```puppet +class { 'ssh': + storeconfigs_enabled => false, + server_options => { + 'Match User www-data' => { + 'ChrootDirectory' => '%h', + 'ForceCommand' => 'internal-sftp', + 'PasswordAuthentication' => 'yes', + 'AllowTcpForwarding' => 'no', + 'X11Forwarding' => 'no', + }, + 'Port' => [22, 2222, 2288], + }, + client_options => { + 'Host *.amazonaws.com' => { + 'User' => 'ec2-user', + }, + }, + users_client_options => { + 'bob' => { + options => { + 'Host *.alice.fr' => { + 'User' => 'alice', }, }, - } + }, + }, +} ``` ### Hiera example -``` +```yaml ssh::storeconfigs_enabled: true ssh::server_options: @@ -109,26 +109,26 @@ ssh::users_client_options: Collected host keys from servers will be written to `known_hosts` unless `storeconfigs_enabled` is `false` -``` - include ssh::client +```puppet +include ssh::client ``` or -``` - class { 'ssh::client': - storeconfigs_enabled => false, - options => { - 'Host short' => { - 'User' => 'my-user', - 'HostName' => 'extreme.long.and.complicated.hostname.domain.tld', - }, - 'Host *' => { - 'User' => 'andromeda', - 'UserKnownHostsFile' => '/dev/null', - }, - }, - } +```puppet +class { 'ssh::client': + storeconfigs_enabled => false, + options => { + 'Host short' => { + 'User' => 'my-user', + 'HostName' => 'extreme.long.and.complicated.hostname.domain.tld', + }, + 'Host *' => { + 'User' => 'andromeda', + 'UserKnownHostsFile' => '/dev/null', + }, + }, +} ``` ### Per user client configuration @@ -192,35 +192,35 @@ SSH configuration file will be `/var/lib/bob/.ssh/config`. Host keys will be collected for client distribution unless `storeconfigs_enabled` is `false` -``` - include ssh::server +```puppet +include ssh::server ``` or -``` - class { 'ssh::server': - storeconfigs_enabled => false, - options => { - 'Match User www-data' => { - 'ChrootDirectory' => '%h', - 'ForceCommand' => 'internal-sftp', - 'PasswordAuthentication' => 'yes', - 'AllowTcpForwarding' => 'no', - 'X11Forwarding' => 'no', - }, - 'PasswordAuthentication' => 'no', - 'PermitRootLogin' => 'no', - 'Port' => [22, 2222], - }, - } +```puppet +class { 'ssh::server': + storeconfigs_enabled => false, + options => { + 'Match User www-data' => { + 'ChrootDirectory' => '%h', + 'ForceCommand' => 'internal-sftp', + 'PasswordAuthentication' => 'yes', + 'AllowTcpForwarding' => 'no', + 'X11Forwarding' => 'no', + }, + 'PasswordAuthentication' => 'no', + 'PermitRootLogin' => 'no', + 'Port' => [22, 2222], + }, +} ``` ### Validate config before replacing it `validate_sshd_file` allows you to run `/usr/sbin/sshd -tf` against the sshd config file before it gets replaced, and will raise an error if the config is incorrect. -``` +```puppet class { 'ssh::server': validate_sshd_file => true, } @@ -231,23 +231,23 @@ class { 'ssh::server': ### Client -``` - 'Host *' => { - 'SendEnv' => 'LANG LC_*', - 'HashKnownHosts' => 'yes', - 'GSSAPIAuthentication' => 'yes', - } +```puppet +'Host *' => { + 'SendEnv' => 'LANG LC_*', + 'HashKnownHosts' => 'yes', + 'GSSAPIAuthentication' => 'yes', +} ``` ### Server -``` - 'ChallengeResponseAuthentication' => 'no', - 'X11Forwarding' => 'yes', - 'PrintMotd' => 'no', - 'AcceptEnv' => 'LANG LC_*', - 'Subsystem' => 'sftp /usr/lib/openssh/sftp-server', - 'UsePAM' => 'yes', +```puppet +'ChallengeResponseAuthentication' => 'no', +'X11Forwarding' => 'yes', +'PrintMotd' => 'no', +'AcceptEnv' => 'LANG LC_*', +'Subsystem' => 'sftp /usr/lib/openssh/sftp-server', +'UsePAM' => 'yes', ``` ## Overwriting default options @@ -257,12 +257,12 @@ will win. The following example will disable X11Forwarding, which is enabled by default: -``` - class { 'ssh::server': - options => { - 'X11Forwarding' => 'no', - }, - } +```puppet +class { 'ssh::server': + options => { + 'X11Forwarding' => 'no', + }, +} ``` Which will lead to the following `sshd_config` file: @@ -273,7 +273,7 @@ Which will lead to the following `sshd_config` file: ChallengeResponseAuthentication no X11Forwarding no PrintMotd no -AcceptEnv LANG LC_* +AcceptEnv LANG LC\_\* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes PasswordAuthentication no @@ -281,12 +281,12 @@ PasswordAuthentication no Values can also be arrays, which will result in the option being specified multiple times -``` - class { 'ssh::server': - options => { - 'HostKey' => ['/etc/ssh/ssh_host_ed25519_key', '/etc/ssh/ssh_host_rsa_key'], - }, - } +```puppet +class { 'ssh::server': + options => { + 'HostKey' => ['/etc/ssh/ssh_host_ed25519_key', '/etc/ssh/ssh_host_rsa_key'], + }, +} ``` Which will lead to the following `sshd_config` file: @@ -298,7 +298,7 @@ ChallengeResponseAuthentication no HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key PrintMotd no -AcceptEnv LANG LC_* +AcceptEnv LANG LC_\* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes PasswordAuthentication no @@ -307,7 +307,7 @@ PasswordAuthentication no ## Defining host keys for server You can define host keys your server will use -``` +```puppet ssh::server::host_key {'ssh_host_rsa_key': private_key_content => '', public_key_content => '', @@ -317,7 +317,7 @@ ssh::server::host_key {'ssh_host_rsa_key': Alternately, you could create the host key providing the files, instead of the content: -``` +```puppet ssh::server::host_key {'ssh_host_rsa_key': private_key_source => 'puppet:///mymodule/ssh_host_rsa_key', public_key_source => 'puppet:///mymodule/ssh_host_rsa_key.pub', @@ -330,7 +330,7 @@ Both of these definitions will create ```/etc/ssh/ssh_host_rsa_key``` and ## Adding custom match blocks -``` +```puppet class YOURCUSTOMCLASS { include ssh From 757f7c8a82741d2c2c238efbc36873ce98c35572 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Wed, 24 May 2017 13:14:33 +0200 Subject: [PATCH 077/246] make rspec output more beautiful --- .rspec | 1 + 1 file changed, 1 insertion(+) create mode 100644 .rspec diff --git a/.rspec b/.rspec new file mode 100644 index 00000000..49d5710b --- /dev/null +++ b/.rspec @@ -0,0 +1 @@ +--format documentation From ba580699c1d80665adc7765dfb02def60aa70096 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Wed, 24 May 2017 13:14:54 +0200 Subject: [PATCH 078/246] add .vendor to gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 4235cdae..1d548c57 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,5 @@ pkg/ .DS_Store Gemfile.lock vendor/ +.vendor/ .bundle/ From d3a96da2614b76266985fd3b751f50323c657d96 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Wed, 24 May 2017 13:18:50 +0200 Subject: [PATCH 079/246] bring gemset up2date --- Gemfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index 8c8067a4..2eb30672 100644 --- a/Gemfile +++ b/Gemfile @@ -25,7 +25,7 @@ group :test do gem 'metadata-json-lint', require: false gem 'puppet-blacksmith', require: false gem 'voxpupuli-release', require: false, git: 'https://github.com/voxpupuli/voxpupuli-release-gem.git' - gem 'puppet-strings', require: false, git: 'https://github.com/puppetlabs/puppetlabs-strings.git' + gem 'puppet-strings', '~> 1.0', require: false gem 'rubocop-rspec', '~> 1.5', require: false if RUBY_VERSION >= '2.2.0' gem 'json_pure', '<= 2.0.1', require: false if RUBY_VERSION < '2.0.0' gem 'rspec-its', require: false From 551b95af01f0acc668893e902ce1ea13565bf53e Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Wed, 24 May 2017 13:21:47 +0200 Subject: [PATCH 080/246] update rubocop config --- .rubocop.yml | 430 ++++++++++++++++++++++++++------------------------- 1 file changed, 222 insertions(+), 208 deletions(-) diff --git a/.rubocop.yml b/.rubocop.yml index 5860cfd3..ec786e22 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -14,476 +14,479 @@ AllCops: - Gemfile - Rakefile Lint/ConditionPosition: - Enabled: true + Enabled: True Lint/ElseLayout: - Enabled: true + Enabled: True Lint/UnreachableCode: - Enabled: true + Enabled: True Lint/UselessComparison: - Enabled: true + Enabled: True Lint/EnsureReturn: - Enabled: true + Enabled: True Lint/HandleExceptions: - Enabled: true + Enabled: True + +Lint/LiteralInCondition: + Enabled: True Lint/ShadowingOuterLocalVariable: - Enabled: true + Enabled: True Lint/LiteralInInterpolation: - Enabled: true + Enabled: True Style/HashSyntax: - Enabled: false + Enabled: True Style/RedundantReturn: - Enabled: true + Enabled: True Lint/AmbiguousOperator: - Enabled: true + Enabled: True Lint/AssignmentInCondition: - Enabled: true + Enabled: True -Layout/SpaceBeforeComment: - Enabled: true +Style/SpaceBeforeComment: + Enabled: True Style/AndOr: - Enabled: true + Enabled: True Style/RedundantSelf: - Enabled: true + Enabled: True + +Metrics/BlockLength: + Enabled: False # Method length is not necessarily an indicator of code quality Metrics/MethodLength: - Enabled: false + Enabled: False # Module length is not necessarily an indicator of code quality Metrics/ModuleLength: - Enabled: false + Enabled: False Style/WhileUntilModifier: - Enabled: true + Enabled: True Lint/AmbiguousRegexpLiteral: - Enabled: true + Enabled: True Security/Eval: - Enabled: true + Enabled: True Lint/BlockAlignment: - Enabled: true + Enabled: True Lint/DefEndAlignment: - Enabled: true + Enabled: True Lint/EndAlignment: - Enabled: true + Enabled: True Lint/DeprecatedClassMethods: - Enabled: true + Enabled: True Lint/Loop: - Enabled: true + Enabled: True Lint/ParenthesesAsGroupedExpression: - Enabled: true + Enabled: True Lint/RescueException: - Enabled: true + Enabled: True Lint/StringConversionInInterpolation: - Enabled: true + Enabled: True Lint/UnusedBlockArgument: - Enabled: true + Enabled: True Lint/UnusedMethodArgument: - Enabled: true + Enabled: True Lint/UselessAccessModifier: - Enabled: true + Enabled: True Lint/UselessAssignment: - Enabled: true + Enabled: True Lint/Void: - Enabled: true + Enabled: True -Layout/AccessModifierIndentation: - Enabled: true +Style/AccessModifierIndentation: + Enabled: True -Naming/AccessorMethodName: - Enabled: true +Style/AccessorMethodName: + Enabled: True Style/Alias: - Enabled: true + Enabled: True -Layout/AlignArray: - Enabled: true +Style/AlignArray: + Enabled: True -Layout/AlignHash: - Enabled: true +Style/AlignHash: + Enabled: True -Layout/AlignParameters: - Enabled: true +Style/AlignParameters: + Enabled: True Metrics/BlockNesting: - Enabled: true + Enabled: True Style/AsciiComments: - Enabled: true + Enabled: True Style/Attr: - Enabled: true + Enabled: True Style/BracesAroundHashParameters: - Enabled: true + Enabled: True Style/CaseEquality: - Enabled: true + Enabled: True -Layout/CaseIndentation: - Enabled: true +Style/CaseIndentation: + Enabled: True Style/CharacterLiteral: - Enabled: true + Enabled: True -Naming/ClassAndModuleCamelCase: - Enabled: true +Style/ClassAndModuleCamelCase: + Enabled: True Style/ClassAndModuleChildren: - Enabled: false + Enabled: False Style/ClassCheck: - Enabled: true + Enabled: True # Class length is not necessarily an indicator of code quality Metrics/ClassLength: - Enabled: false + Enabled: False Style/ClassMethods: - Enabled: true + Enabled: True Style/ClassVars: - Enabled: true + Enabled: True Style/WhenThen: - Enabled: true + Enabled: True Style/WordArray: - Enabled: true + Enabled: True Style/UnneededPercentQ: - Enabled: true + Enabled: True -Layout/Tab: - Enabled: true +Style/Tab: + Enabled: True -Layout/SpaceBeforeSemicolon: - Enabled: true +Style/SpaceBeforeSemicolon: + Enabled: True -Layout/TrailingBlankLines: - Enabled: true +Style/TrailingBlankLines: + Enabled: True -Layout/SpaceInsideBlockBraces: - Enabled: true +Style/SpaceInsideBlockBraces: + Enabled: True -Layout/SpaceInsideHashLiteralBraces: - Enabled: true +Style/SpaceInsideBrackets: + Enabled: True -Layout/SpaceInsideParens: - Enabled: true +Style/SpaceInsideHashLiteralBraces: + Enabled: True -Layout/LeadingCommentSpace: - Enabled: true +Style/SpaceInsideParens: + Enabled: True -Layout/SpaceBeforeFirstArg: - Enabled: true +Style/LeadingCommentSpace: + Enabled: True -Layout/SpaceAfterColon: - Enabled: true +Style/SpaceBeforeFirstArg: + Enabled: True -Layout/SpaceAfterComma: - Enabled: true +Style/SpaceAfterColon: + Enabled: True -Layout/SpaceAfterMethodName: - Enabled: true +Style/SpaceAfterComma: + Enabled: True -Layout/SpaceAfterNot: - Enabled: true +Style/SpaceAfterMethodName: + Enabled: True -Layout/SpaceAfterSemicolon: - Enabled: true +Style/SpaceAfterNot: + Enabled: True -Layout/SpaceAroundEqualsInParameterDefault: - Enabled: true +Style/SpaceAfterSemicolon: + Enabled: True -Layout/SpaceAroundOperators: - Enabled: true +Style/SpaceAroundEqualsInParameterDefault: + Enabled: True -Layout/SpaceBeforeBlockBraces: - Enabled: true +Style/SpaceAroundOperators: + Enabled: True -Layout/SpaceBeforeComma: - Enabled: true +Style/SpaceBeforeBlockBraces: + Enabled: True + +Style/SpaceBeforeComma: + Enabled: True Style/CollectionMethods: - Enabled: true + Enabled: True -Layout/CommentIndentation: - Enabled: true +Style/CommentIndentation: + Enabled: True Style/ColonMethodCall: - Enabled: true + Enabled: True Style/CommentAnnotation: - Enabled: true + Enabled: True # 'Complexity' is very relative Metrics/CyclomaticComplexity: - Enabled: false + Enabled: False -Naming/ConstantName: - Enabled: true +Style/ConstantName: + Enabled: True Style/Documentation: - Enabled: false + Enabled: False Style/DefWithParentheses: - Enabled: true + Enabled: True Style/PreferredHashMethods: - Enabled: true + Enabled: True Layout/DotPosition: EnforcedStyle: trailing Style/DoubleNegation: - Enabled: true + Enabled: True Style/EachWithObject: - Enabled: true + Enabled: True -Layout/EmptyLineBetweenDefs: - Enabled: true +Style/EmptyLineBetweenDefs: + Enabled: True -Layout/IndentArray: - Enabled: true +Style/IndentArray: + Enabled: True -Layout/IndentHash: - Enabled: true +Style/IndentHash: + Enabled: True -Layout/IndentationConsistency: - Enabled: true +Style/IndentationConsistency: + Enabled: True -Layout/IndentationWidth: - Enabled: true +Style/IndentationWidth: + Enabled: True -Layout/EmptyLines: - Enabled: true +Style/EmptyLines: + Enabled: True -Layout/EmptyLinesAroundAccessModifier: - Enabled: true +Style/EmptyLinesAroundAccessModifier: + Enabled: True Style/EmptyLiteral: - Enabled: true + Enabled: True # Configuration parameters: AllowURI, URISchemes. Metrics/LineLength: - Enabled: false + Enabled: False Style/MethodCallWithoutArgsParentheses: - Enabled: true + Enabled: True Style/MethodDefParentheses: - Enabled: true + Enabled: True Style/LineEndConcatenation: - Enabled: true + Enabled: True -Layout/TrailingWhitespace: - Enabled: true +Style/TrailingWhitespace: + Enabled: True Style/StringLiterals: - Enabled: true + Enabled: True Style/TrailingCommaInArguments: - Enabled: true + Enabled: True -Style/TrailingCommaInArrayLiteral: - Enabled: true - -Style/TrailingCommaInHashLiteral: - Enabled: true +Style/TrailingCommaInLiteral: + Enabled: True Style/GlobalVars: - Enabled: true + Enabled: True Style/GuardClause: - Enabled: true + Enabled: True Style/IfUnlessModifier: - Enabled: true + Enabled: True Style/MultilineIfThen: - Enabled: true + Enabled: True Style/NegatedIf: - Enabled: true + Enabled: True Style/NegatedWhile: - Enabled: true + Enabled: True Style/Next: - Enabled: true + Enabled: True Style/SingleLineBlockParams: - Enabled: true + Enabled: True Style/SingleLineMethods: - Enabled: true + Enabled: True Style/SpecialGlobalVars: - Enabled: true + Enabled: True Style/TrivialAccessors: - Enabled: true + Enabled: True Style/UnlessElse: - Enabled: true + Enabled: True Style/VariableInterpolation: - Enabled: true + Enabled: True -Naming/VariableName: - Enabled: true +Style/VariableName: + Enabled: True Style/WhileUntilDo: - Enabled: true + Enabled: True Style/EvenOdd: - Enabled: true + Enabled: True -Naming/FileName: - Enabled: true +Style/FileName: + Enabled: True Style/For: - Enabled: true + Enabled: True Style/Lambda: - Enabled: true + Enabled: True -Naming/MethodName: - Enabled: true +Style/MethodName: + Enabled: True Style/MultilineTernaryOperator: - Enabled: true + Enabled: True Style/NestedTernaryOperator: - Enabled: true + Enabled: True Style/NilComparison: - Enabled: true + Enabled: True Style/FormatString: - Enabled: true + Enabled: True Style/MultilineBlockChain: - Enabled: true + Enabled: True Style/Semicolon: - Enabled: true + Enabled: True Style/SignalException: - Enabled: true + Enabled: True Style/NonNilCheck: - Enabled: true + Enabled: True Style/Not: - Enabled: true + Enabled: True Style/NumericLiterals: - Enabled: true + Enabled: True Style/OneLineConditional: - Enabled: true + Enabled: True -Naming/BinaryOperatorParameterName: - Enabled: true +Style/OpMethod: + Enabled: True Style/ParenthesesAroundCondition: - Enabled: true + Enabled: True Style/PercentLiteralDelimiters: - Enabled: true + Enabled: True Style/PerlBackrefs: - Enabled: true + Enabled: True -Naming/PredicateName: - Enabled: true +Style/PredicateName: + Enabled: True Style/RedundantException: - Enabled: true + Enabled: True Style/SelfAssignment: - Enabled: true + Enabled: True Style/Proc: - Enabled: true + Enabled: True Style/RaiseArgs: - Enabled: true + Enabled: True Style/RedundantBegin: - Enabled: true + Enabled: True Style/RescueModifier: - Enabled: true + Enabled: True # based on https://github.com/voxpupuli/modulesync_config/issues/168 Style/RegexpLiteral: EnforcedStyle: percent_r - Enabled: true + Enabled: True Lint/UnderscorePrefixedVariableName: - Enabled: true + Enabled: True Metrics/ParameterLists: - Enabled: false + Enabled: False Lint/RequireParentheses: - Enabled: true + Enabled: True -Layout/SpaceBeforeFirstArg: - Enabled: true +Style/SpaceBeforeFirstArg: + Enabled: True Style/ModuleFunction: - Enabled: true + Enabled: True Lint/Debugger: - Enabled: true + Enabled: True Style/IfWithSemicolon: - Enabled: true + Enabled: True Style/Encoding: - Enabled: true + Enabled: True Style/BlockDelimiters: - Enabled: true - -Style/FormatStringToken: - Enabled: false + Enabled: True -Layout/MultilineBlockLayout: - Enabled: true +Style/MultilineBlockLayout: + Enabled: True # 'Complexity' is very relative Metrics/AbcSize: @@ -497,10 +500,10 @@ Metrics/PerceivedComplexity: Enabled: False Lint/UselessAssignment: - Enabled: true + Enabled: True -Layout/ClosingParenthesisIndentation: - Enabled: false +Style/ClosingParenthesisIndentation: + Enabled: True # RSpec @@ -511,7 +514,18 @@ RSpec/DescribeClass: # Example length is not necessarily an indicator of code quality RSpec/ExampleLength: Enabled: False -RSpec/NestedGroups: - Max: 5 -RSpec/MultipleExpectations: - Max: 3 + +RSpec/NamedSubject: + Enabled: False + +# disabled for now since they cause a lot of issues +# these issues aren't easy to fix +RSpec/RepeatedDescription: + Enabled: False + +RSpec/NestedGroups: + Enabled: False + +# disable Yaml safe_load. This is needed to support ruby2.0.0 development envs +Security/YAMLLoad: + Enabled: false From b2541a2e437d37b6dd66983d544f14d60977dc72 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Wed, 24 May 2017 13:22:17 +0200 Subject: [PATCH 081/246] rubocop: autofixes --- lib/facter/ssh_client_version.rb | 8 +++++--- lib/facter/ssh_server_version.rb | 8 ++++---- lib/puppet/parser/functions/ipaddresses.rb | 6 +++--- .../sshclient_options_to_augeas_ssh_config.rb | 2 +- .../sshserver_options_to_augeas_sshd_config.rb | 2 +- spec/classes/server_spec.rb | 12 +++++------- 6 files changed, 19 insertions(+), 19 deletions(-) diff --git a/lib/facter/ssh_client_version.rb b/lib/facter/ssh_client_version.rb index 830986e1..92dadab6 100644 --- a/lib/facter/ssh_client_version.rb +++ b/lib/facter/ssh_client_version.rb @@ -1,5 +1,5 @@ Facter.add('ssh_client_version_full') do - confine :kernel => %w[Linux SunOS FreeBSD DragonFly Darwin] + confine kernel: %w[Linux SunOS FreeBSD DragonFly Darwin] setcode do if Facter::Util::Resolution.which('ssh') @@ -16,7 +16,8 @@ end Facter.add('ssh_client_version_major') do - confine :kernel => %w[Linux SunOS FreeBSD DragonFly Darwin] + confine kernel: %w[Linux SunOS FreeBSD DragonFly Darwin] + confine ssh_client_version_full: true setcode do version = Facter.value('ssh_client_version_full') @@ -25,7 +26,8 @@ end Facter.add('ssh_client_version_release') do - confine :kernel => %w[Linux SunOS FreeBSD DragonFly Darwin] + confine kernel: %w[Linux SunOS FreeBSD DragonFly Darwin] + confine ssh_client_version_full: true setcode do version = Facter.value('ssh_client_version_full') diff --git a/lib/facter/ssh_server_version.rb b/lib/facter/ssh_server_version.rb index 10e63d89..e04cfda2 100644 --- a/lib/facter/ssh_server_version.rb +++ b/lib/facter/ssh_server_version.rb @@ -1,5 +1,5 @@ Facter.add('ssh_server_version_full') do - confine :kernel => %w[Linux SunOS FreeBSD DragonFly Darwin] + confine kernel: %w[Linux SunOS FreeBSD DragonFly Darwin] setcode do if Facter::Util::Resolution.which('sshd') @@ -19,8 +19,8 @@ end Facter.add('ssh_server_version_major') do - confine :kernel => %w[Linux SunOS FreeBSD DragonFly Darwin] - confine :ssh_server_version_full => %r{\d+} + confine kernel: %w[Linux SunOS FreeBSD DragonFly DragonFly Darwin] + confine ssh_server_version_full: %r{\d+} setcode do version = Facter.value('ssh_server_version_full') @@ -36,7 +36,7 @@ end Facter.add('ssh_server_version_release') do - confine :ssh_server_version_full => %r{\d+} + confine ssh_server_version_full: %r{\d+} setcode do version = Facter.value('ssh_server_version_full') diff --git a/lib/puppet/parser/functions/ipaddresses.rb b/lib/puppet/parser/functions/ipaddresses.rb index 0f1ed217..7aadd50c 100644 --- a/lib/puppet/parser/functions/ipaddresses.rb +++ b/lib/puppet/parser/functions/ipaddresses.rb @@ -1,8 +1,8 @@ module Puppet::Parser::Functions - newfunction(:ipaddresses, :type => :rvalue, :doc => <<-DOC + newfunction(:ipaddresses, type: :rvalue, doc: <<-EOS Returns all ip addresses of network interfaces (except lo) found by facter. -DOC - ) do |_args| +EOS + ) do |_args| interfaces = lookupvar('interfaces') # In Puppet v2.7, lookupvar returns :undefined if the variable does diff --git a/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb b/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb index c31c6ff3..cd9a6e5d 100644 --- a/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb +++ b/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb @@ -1,5 +1,5 @@ module Puppet::Parser::Functions - newfunction(:sshclient_options_to_augeas_ssh_config, :type => :rvalue, :doc => <<-'DOC') do |args| + newfunction(:sshclient_options_to_augeas_ssh_config, type: :rvalue, doc: <<-'DOC') do |args| This function will convert a key-value hash to a format understandable by the augeas sshd_config provider It will also optionally deal with keys that should be absent, and inject static parameters if supplied. diff --git a/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb b/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb index 7f474376..c34a253b 100644 --- a/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb +++ b/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb @@ -1,5 +1,5 @@ module Puppet::Parser::Functions - newfunction(:sshserver_options_to_augeas_sshd_config, :type => :rvalue, :doc => <<-'DOC') do |args| + newfunction(:sshserver_options_to_augeas_sshd_config, type: :rvalue, doc: <<-'DOC') do |args| This function will convert a key-value hash to a format understandable by the augeas sshd_config provider It will also optionally deal with keys that should be absent, and inject static parameters if supplied. diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index 330870f2..b1db3829 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -103,7 +103,7 @@ 'enable' => true, 'hasrestart' => true, 'hasstatus' => true - ) + ) end it { is_expected.to contain_concat('/etc/ssh/sshd_config') } @@ -120,8 +120,7 @@ UsePAM yes X11Forwarding yes ' - # rubocop:enable EmptyLinesAroundArguments - ) + ) end end describe 'on Arch' do @@ -150,7 +149,7 @@ is_expected.to contain_package('openssh').with( ensure: param_hash[:ensure], name: 'openssh' - ) + ) end it do @@ -159,7 +158,7 @@ 'enable' => true, 'hasrestart' => true, 'hasstatus' => true - ) + ) end it { is_expected.to contain_concat('/etc/ssh/sshd_config') } @@ -176,8 +175,7 @@ UsePAM yes X11Forwarding yes ' - # rubocop:enable EmptyLinesAroundArguments - ) + ) end end end From 9aec9b6f590098a80d6d1c3e62b09325e8f32a75 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sun, 24 Jun 2018 08:48:43 +0200 Subject: [PATCH 082/246] linter/rubocop autofixes --- .rubocop.yml | 6 ------ manifests/client/config/user.pp | 10 +++++----- 2 files changed, 5 insertions(+), 11 deletions(-) diff --git a/.rubocop.yml b/.rubocop.yml index ec786e22..674b320c 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -324,9 +324,6 @@ Style/StringLiterals: Style/TrailingCommaInArguments: Enabled: True -Style/TrailingCommaInLiteral: - Enabled: True - Style/GlobalVars: Enabled: True @@ -420,9 +417,6 @@ Style/NumericLiterals: Style/OneLineConditional: Enabled: True -Style/OpMethod: - Enabled: True - Style/ParenthesesAroundCondition: Enabled: True diff --git a/manifests/client/config/user.pp b/manifests/client/config/user.pp index 7ea0f5f7..6b3d234d 100644 --- a/manifests/client/config/user.pp +++ b/manifests/client/config/user.pp @@ -22,7 +22,7 @@ } else { if ($user_home_dir == undef) { - $_user_home_dir = "/home/${user}" + $_user_home_dir = "/home/${name}" } else { $_user_home_dir = $user_home_dir @@ -35,7 +35,7 @@ unless defined(File[$user_ssh_dir]) { file { $user_ssh_dir: ensure => directory, - owner => $user, + owner => $name, mode => $::ssh::params::user_ssh_directory_default_mode, before => Concat_file[$_target], } @@ -46,13 +46,13 @@ unless defined(Concat_file[$_target]) { concat_file{$_target: ensure => $ensure, - owner => $user, + owner => $name, mode => $::ssh::params::user_ssh_config_default_mode, - tag => $user, + tag => $name, } } concat_fragment{$name: - tag => $user, + tag => $name, content => template("${module_name}/ssh_config.erb"), target => $_target, } From af98f00765ef7615cf6e82e567623a93d384d363 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sun, 8 Jul 2018 21:59:00 +0200 Subject: [PATCH 083/246] stick to specific rubocop version --- .rubocop.yml | 405 ++++++++++++------------ Gemfile | 6 +- spec/classes/server_spec.rb | 3 - spec/defines/client/config/user_spec.rb | 6 +- 4 files changed, 198 insertions(+), 222 deletions(-) diff --git a/.rubocop.yml b/.rubocop.yml index 674b320c..fd9fe749 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -14,473 +14,467 @@ AllCops: - Gemfile - Rakefile Lint/ConditionPosition: - Enabled: True + Enabled: true Lint/ElseLayout: - Enabled: True + Enabled: true Lint/UnreachableCode: - Enabled: True + Enabled: true Lint/UselessComparison: - Enabled: True + Enabled: true Lint/EnsureReturn: - Enabled: True + Enabled: true Lint/HandleExceptions: - Enabled: True - -Lint/LiteralInCondition: - Enabled: True + Enabled: true Lint/ShadowingOuterLocalVariable: - Enabled: True + Enabled: true Lint/LiteralInInterpolation: - Enabled: True + Enabled: true Style/HashSyntax: - Enabled: True + Enabled: false Style/RedundantReturn: - Enabled: True + Enabled: true Lint/AmbiguousOperator: - Enabled: True + Enabled: true Lint/AssignmentInCondition: - Enabled: True + Enabled: true -Style/SpaceBeforeComment: - Enabled: True +Layout/SpaceBeforeComment: + Enabled: true Style/AndOr: - Enabled: True + Enabled: true Style/RedundantSelf: - Enabled: True - -Metrics/BlockLength: - Enabled: False + Enabled: true # Method length is not necessarily an indicator of code quality Metrics/MethodLength: - Enabled: False + Enabled: false # Module length is not necessarily an indicator of code quality Metrics/ModuleLength: - Enabled: False + Enabled: false Style/WhileUntilModifier: - Enabled: True + Enabled: true Lint/AmbiguousRegexpLiteral: - Enabled: True + Enabled: true Security/Eval: - Enabled: True + Enabled: true Lint/BlockAlignment: - Enabled: True + Enabled: true Lint/DefEndAlignment: - Enabled: True + Enabled: true Lint/EndAlignment: - Enabled: True + Enabled: true Lint/DeprecatedClassMethods: - Enabled: True + Enabled: true Lint/Loop: - Enabled: True + Enabled: true Lint/ParenthesesAsGroupedExpression: - Enabled: True + Enabled: true Lint/RescueException: - Enabled: True + Enabled: true Lint/StringConversionInInterpolation: - Enabled: True + Enabled: true Lint/UnusedBlockArgument: - Enabled: True + Enabled: true Lint/UnusedMethodArgument: - Enabled: True + Enabled: true Lint/UselessAccessModifier: - Enabled: True + Enabled: true Lint/UselessAssignment: - Enabled: True + Enabled: true Lint/Void: - Enabled: True + Enabled: true -Style/AccessModifierIndentation: - Enabled: True +Layout/AccessModifierIndentation: + Enabled: true Style/AccessorMethodName: - Enabled: True + Enabled: true Style/Alias: - Enabled: True + Enabled: true -Style/AlignArray: - Enabled: True +Layout/AlignArray: + Enabled: true -Style/AlignHash: - Enabled: True +Layout/AlignHash: + Enabled: true -Style/AlignParameters: - Enabled: True +Layout/AlignParameters: + Enabled: true Metrics/BlockNesting: - Enabled: True + Enabled: true Style/AsciiComments: - Enabled: True + Enabled: true Style/Attr: - Enabled: True + Enabled: true Style/BracesAroundHashParameters: - Enabled: True + Enabled: true Style/CaseEquality: - Enabled: True + Enabled: true -Style/CaseIndentation: - Enabled: True +Layout/CaseIndentation: + Enabled: true Style/CharacterLiteral: - Enabled: True + Enabled: true Style/ClassAndModuleCamelCase: - Enabled: True + Enabled: true Style/ClassAndModuleChildren: - Enabled: False + Enabled: false Style/ClassCheck: - Enabled: True + Enabled: true # Class length is not necessarily an indicator of code quality Metrics/ClassLength: - Enabled: False + Enabled: false Style/ClassMethods: - Enabled: True + Enabled: true Style/ClassVars: - Enabled: True + Enabled: true Style/WhenThen: - Enabled: True + Enabled: true Style/WordArray: - Enabled: True + Enabled: true Style/UnneededPercentQ: - Enabled: True + Enabled: true -Style/Tab: - Enabled: True +Layout/Tab: + Enabled: true -Style/SpaceBeforeSemicolon: - Enabled: True +Layout/SpaceBeforeSemicolon: + Enabled: true -Style/TrailingBlankLines: - Enabled: True +Layout/TrailingBlankLines: + Enabled: true -Style/SpaceInsideBlockBraces: - Enabled: True +Layout/SpaceInsideBlockBraces: + Enabled: true -Style/SpaceInsideBrackets: - Enabled: True +Layout/SpaceInsideHashLiteralBraces: + Enabled: true -Style/SpaceInsideHashLiteralBraces: - Enabled: True +Layout/SpaceInsideParens: + Enabled: true -Style/SpaceInsideParens: - Enabled: True +Layout/LeadingCommentSpace: + Enabled: true -Style/LeadingCommentSpace: - Enabled: True +Layout/SpaceBeforeFirstArg: + Enabled: true -Style/SpaceBeforeFirstArg: - Enabled: True +Layout/SpaceAfterColon: + Enabled: true -Style/SpaceAfterColon: - Enabled: True +Layout/SpaceAfterComma: + Enabled: true -Style/SpaceAfterComma: - Enabled: True +Layout/SpaceAfterMethodName: + Enabled: true -Style/SpaceAfterMethodName: - Enabled: True +Layout/SpaceAfterNot: + Enabled: true -Style/SpaceAfterNot: - Enabled: True +Layout/SpaceAfterSemicolon: + Enabled: true -Style/SpaceAfterSemicolon: - Enabled: True +Layout/SpaceAroundEqualsInParameterDefault: + Enabled: true -Style/SpaceAroundEqualsInParameterDefault: - Enabled: True +Layout/SpaceAroundOperators: + Enabled: true -Style/SpaceAroundOperators: - Enabled: True +Layout/SpaceBeforeBlockBraces: + Enabled: true -Style/SpaceBeforeBlockBraces: - Enabled: True - -Style/SpaceBeforeComma: - Enabled: True +Layout/SpaceBeforeComma: + Enabled: true Style/CollectionMethods: - Enabled: True + Enabled: true -Style/CommentIndentation: - Enabled: True +Layout/CommentIndentation: + Enabled: true Style/ColonMethodCall: - Enabled: True + Enabled: true Style/CommentAnnotation: - Enabled: True + Enabled: true # 'Complexity' is very relative Metrics/CyclomaticComplexity: - Enabled: False + Enabled: false Style/ConstantName: - Enabled: True + Enabled: true Style/Documentation: - Enabled: False + Enabled: false Style/DefWithParentheses: - Enabled: True + Enabled: true Style/PreferredHashMethods: - Enabled: True + Enabled: true Layout/DotPosition: EnforcedStyle: trailing Style/DoubleNegation: - Enabled: True + Enabled: true Style/EachWithObject: - Enabled: True + Enabled: true -Style/EmptyLineBetweenDefs: - Enabled: True +Layout/EmptyLineBetweenDefs: + Enabled: true -Style/IndentArray: - Enabled: True +Layout/IndentArray: + Enabled: true -Style/IndentHash: - Enabled: True +Layout/IndentHash: + Enabled: true -Style/IndentationConsistency: - Enabled: True +Layout/IndentationConsistency: + Enabled: true -Style/IndentationWidth: - Enabled: True +Layout/IndentationWidth: + Enabled: true -Style/EmptyLines: - Enabled: True +Layout/EmptyLines: + Enabled: true -Style/EmptyLinesAroundAccessModifier: - Enabled: True +Layout/EmptyLinesAroundAccessModifier: + Enabled: true Style/EmptyLiteral: - Enabled: True + Enabled: true # Configuration parameters: AllowURI, URISchemes. Metrics/LineLength: - Enabled: False + Enabled: false Style/MethodCallWithoutArgsParentheses: - Enabled: True + Enabled: true Style/MethodDefParentheses: - Enabled: True + Enabled: true Style/LineEndConcatenation: - Enabled: True + Enabled: true -Style/TrailingWhitespace: - Enabled: True +Layout/TrailingWhitespace: + Enabled: true Style/StringLiterals: - Enabled: True + Enabled: true Style/TrailingCommaInArguments: - Enabled: True + Enabled: true Style/GlobalVars: - Enabled: True + Enabled: true Style/GuardClause: - Enabled: True + Enabled: true Style/IfUnlessModifier: - Enabled: True + Enabled: true Style/MultilineIfThen: - Enabled: True + Enabled: true Style/NegatedIf: - Enabled: True + Enabled: true Style/NegatedWhile: - Enabled: True + Enabled: true Style/Next: - Enabled: True + Enabled: true Style/SingleLineBlockParams: - Enabled: True + Enabled: true Style/SingleLineMethods: - Enabled: True + Enabled: true Style/SpecialGlobalVars: - Enabled: True + Enabled: true Style/TrivialAccessors: - Enabled: True + Enabled: true Style/UnlessElse: - Enabled: True + Enabled: true Style/VariableInterpolation: - Enabled: True + Enabled: true Style/VariableName: - Enabled: True + Enabled: true Style/WhileUntilDo: - Enabled: True + Enabled: true Style/EvenOdd: - Enabled: True + Enabled: true Style/FileName: - Enabled: True + Enabled: true Style/For: - Enabled: True + Enabled: true Style/Lambda: - Enabled: True + Enabled: true Style/MethodName: - Enabled: True + Enabled: true Style/MultilineTernaryOperator: - Enabled: True + Enabled: true Style/NestedTernaryOperator: - Enabled: True + Enabled: true Style/NilComparison: - Enabled: True + Enabled: true Style/FormatString: - Enabled: True + Enabled: true Style/MultilineBlockChain: - Enabled: True + Enabled: true Style/Semicolon: - Enabled: True + Enabled: true Style/SignalException: - Enabled: True + Enabled: true Style/NonNilCheck: - Enabled: True + Enabled: true Style/Not: - Enabled: True + Enabled: true Style/NumericLiterals: - Enabled: True + Enabled: true Style/OneLineConditional: - Enabled: True + Enabled: true Style/ParenthesesAroundCondition: - Enabled: True + Enabled: true Style/PercentLiteralDelimiters: - Enabled: True + Enabled: true Style/PerlBackrefs: - Enabled: True + Enabled: true Style/PredicateName: - Enabled: True + Enabled: true Style/RedundantException: - Enabled: True + Enabled: true Style/SelfAssignment: - Enabled: True + Enabled: true Style/Proc: - Enabled: True + Enabled: true Style/RaiseArgs: - Enabled: True + Enabled: true Style/RedundantBegin: - Enabled: True + Enabled: true Style/RescueModifier: - Enabled: True + Enabled: true # based on https://github.com/voxpupuli/modulesync_config/issues/168 Style/RegexpLiteral: EnforcedStyle: percent_r - Enabled: True + Enabled: true Lint/UnderscorePrefixedVariableName: - Enabled: True + Enabled: true Metrics/ParameterLists: - Enabled: False + Enabled: false Lint/RequireParentheses: - Enabled: True + Enabled: true -Style/SpaceBeforeFirstArg: - Enabled: True +Layout/SpaceBeforeFirstArg: + Enabled: true Style/ModuleFunction: - Enabled: True + Enabled: true Lint/Debugger: - Enabled: True + Enabled: true Style/IfWithSemicolon: - Enabled: True + Enabled: true Style/Encoding: - Enabled: True + Enabled: true Style/BlockDelimiters: - Enabled: True + Enabled: true + +Style/FormatStringToken: + Enabled: false -Style/MultilineBlockLayout: - Enabled: True +Layout/MultilineBlockLayout: + Enabled: true # 'Complexity' is very relative Metrics/AbcSize: @@ -494,10 +488,10 @@ Metrics/PerceivedComplexity: Enabled: False Lint/UselessAssignment: - Enabled: True + Enabled: true -Style/ClosingParenthesisIndentation: - Enabled: True +Layout/ClosingParenthesisIndentation: + Enabled: false # RSpec @@ -508,18 +502,7 @@ RSpec/DescribeClass: # Example length is not necessarily an indicator of code quality RSpec/ExampleLength: Enabled: False - -RSpec/NamedSubject: - Enabled: False - -# disabled for now since they cause a lot of issues -# these issues aren't easy to fix -RSpec/RepeatedDescription: - Enabled: False - -RSpec/NestedGroups: - Enabled: False - -# disable Yaml safe_load. This is needed to support ruby2.0.0 development envs -Security/YAMLLoad: - Enabled: false +RSpec/NestedGroups: + Max: 5 +RSpec/MultipleExpectations: + Max: 3 diff --git a/Gemfile b/Gemfile index 2eb30672..3fc7731b 100644 --- a/Gemfile +++ b/Gemfile @@ -12,7 +12,7 @@ end group :test do gem 'puppetlabs_spec_helper', require: false - gem 'rspec-puppet', '~> 2.5', require: false + gem 'rspec-puppet', require: false gem 'rspec-puppet-facts', require: false gem 'rspec-puppet-utils', require: false gem 'puppet-lint-absolute_classname-check', require: false @@ -26,8 +26,8 @@ group :test do gem 'puppet-blacksmith', require: false gem 'voxpupuli-release', require: false, git: 'https://github.com/voxpupuli/voxpupuli-release-gem.git' gem 'puppet-strings', '~> 1.0', require: false - gem 'rubocop-rspec', '~> 1.5', require: false if RUBY_VERSION >= '2.2.0' - gem 'json_pure', '<= 2.0.1', require: false if RUBY_VERSION < '2.0.0' + gem 'rubocop', '~> 0.49.1', require: false + gem 'rubocop-rspec', require: false gem 'rspec-its', require: false end diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index b1db3829..9757af89 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -39,7 +39,6 @@ it do is_expected.to contain_concat__fragment('global config').with( target: '/etc/ssh/sshd_config', - # rubocop:disable EmptyLinesAroundArguments content: '# File is managed by Puppet AcceptEnv LANG LC_* @@ -110,7 +109,6 @@ it do is_expected.to contain_concat__fragment('global config').with( target: '/etc/ssh/sshd_config', - # rubocop:disable EmptyLinesAroundArguments content: '# File is managed by Puppet AcceptEnv LANG LC_* @@ -165,7 +163,6 @@ it do is_expected.to contain_concat__fragment('global config').with( target: '/etc/ssh/sshd_config', - # rubocop:disable EmptyLinesAroundArguments content: '# File is managed by Puppet AcceptEnv LANG LC_* diff --git a/spec/defines/client/config/user_spec.rb b/spec/defines/client/config/user_spec.rb index 3fc5f57f..e3fb6226 100644 --- a/spec/defines/client/config/user_spec.rb +++ b/spec/defines/client/config/user_spec.rb @@ -40,11 +40,7 @@ } end - it 'fails' do - expect do - is_expected.to not_compile - end - end + it { is_expected.not_to compile } end end end From 54706e40ec0ffeda599d9dbaf58f1768bc44684e Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 17 Jul 2018 06:46:31 +0200 Subject: [PATCH 084/246] new release: v4.0.0 --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 34b0e9e7..11cba264 100644 --- a/metadata.json +++ b/metadata.json @@ -44,7 +44,7 @@ } ], "name": "saz-ssh", - "version": "3.0.1", + "version": "4.0.0", "source": "git://github.com/saz/puppet-ssh.git", "author": "saz", "license": "Apache-2.0", From 65a95ad9f823d1533b6b29688333dfacdb948e1e Mon Sep 17 00:00:00 2001 From: Simon Lauger Date: Sun, 23 Sep 2018 00:01:27 +0200 Subject: [PATCH 085/246] added option to exclude interfaces when collecting ssh host keys --- lib/puppet/parser/functions/ipaddresses.rb | 16 ++++++++++++++++ manifests/hostkeys.pp | 3 ++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/lib/puppet/parser/functions/ipaddresses.rb b/lib/puppet/parser/functions/ipaddresses.rb index 7aadd50c..3df9c064 100644 --- a/lib/puppet/parser/functions/ipaddresses.rb +++ b/lib/puppet/parser/functions/ipaddresses.rb @@ -1,10 +1,21 @@ module Puppet::Parser::Functions newfunction(:ipaddresses, type: :rvalue, doc: <<-EOS Returns all ip addresses of network interfaces (except lo) found by facter. + Special network interfaces (e.g. docker0) can be excluded by an exclude list as + first argument for this function. EOS ) do |_args| interfaces = lookupvar('interfaces') + if _args.size == 1 + if !_args[0].is_a?(Array) + raise(Puppet::ParseError, 'ipaddresses(): Requires first argument to be a Array') + end + interfaces_exclude = _args[0] + else + interfaces_exclude = [] + end + # In Puppet v2.7, lookupvar returns :undefined if the variable does # not exist. In Puppet 3.x, it returns nil. # See http://docs.puppetlabs.com/guides/custom_functions.html @@ -15,6 +26,11 @@ module Puppet::Parser::Functions interfaces = interfaces.split(',') interfaces.each do |iface| next if iface.include?('lo') + skip_iface = false + interfaces_exclude.each do |iface_exclude| + skip_iface = true if iface.include?(iface_exclude) + end + next if skip_iface == true ipaddr = lookupvar("ipaddress_#{iface}") ipaddr6 = lookupvar("ipaddress6_#{iface}") result << ipaddr if ipaddr && (ipaddr != :undefined) diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index 909946e2..aead6663 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -3,10 +3,11 @@ Boolean $export_ipaddresses = true, Optional[String] $storeconfigs_group = undef, Array $extra_aliases = [], + Array $exclude_interfaces = [], ) { if $export_ipaddresses == true { - $ipaddresses = ipaddresses() + $ipaddresses = ipaddresses($exclude_interfaces) $host_aliases = flatten([ $::fqdn, $::hostname, $extra_aliases, $ipaddresses ]) } else { $host_aliases = flatten([ $::fqdn, $::hostname, $extra_aliases]) From a0ae193ab41970aecc350aad7f66537dac409156 Mon Sep 17 00:00:00 2001 From: Simon Lauger Date: Sun, 23 Sep 2018 00:11:57 +0200 Subject: [PATCH 086/246] fix dependencies for stdlib and concat in metadata.json (5.0.0 -> 6.0.0) --- metadata.json | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/metadata.json b/metadata.json index 11cba264..637e367c 100644 --- a/metadata.json +++ b/metadata.json @@ -1,4 +1,21 @@ { + "name": "saz-ssh", + "version": "4.0.0", + "author": "saz", + "summary": "Manage SSH client and server via Puppet.", + "license": "Apache-2.0", + "source": "git://github.com/saz/puppet-ssh.git", + "project_page": "https://github.com/saz/puppet-ssh", + "dependencies": [ + { + "name": "puppetlabs/stdlib", + "version_requirement": ">= 4.24.0 < 6.0.0" + }, + { + "name": "puppetlabs/concat", + "version_requirement": ">= 2.2.0 < 6.0.0" + } + ], "operatingsystem_support": [ { "operatingsystem": "RedHat" @@ -43,22 +60,5 @@ "version_requirement": ">= 4.10.10 < 6.0.0" } ], - "name": "saz-ssh", - "version": "4.0.0", - "source": "git://github.com/saz/puppet-ssh.git", - "author": "saz", - "license": "Apache-2.0", - "summary": "Manage SSH client and server via Puppet.", - "description": "Manage SSH client and server via puppet", - "project_page": "https://github.com/saz/puppet-ssh", - "dependencies": [ - { - "name": "puppetlabs/stdlib", - "version_requirement": ">= 4.24.0 < 5.0.0" - }, - { - "name": "puppetlabs/concat", - "version_requirement": ">= 2.2.0 < 5.0.0" - } - ] + "description": "Manage SSH client and server via puppet" } From 9956891f11aabf5c572f457637e0a37f28efd6ce Mon Sep 17 00:00:00 2001 From: Simon Lauger Date: Sun, 23 Sep 2018 00:39:25 +0200 Subject: [PATCH 087/246] small fixes to make the travis ci tests works - use unless instead of negative if - removed prefix from the '_args' var --- lib/puppet/parser/functions/ipaddresses.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/puppet/parser/functions/ipaddresses.rb b/lib/puppet/parser/functions/ipaddresses.rb index 3df9c064..2f27fe69 100644 --- a/lib/puppet/parser/functions/ipaddresses.rb +++ b/lib/puppet/parser/functions/ipaddresses.rb @@ -4,14 +4,14 @@ module Puppet::Parser::Functions Special network interfaces (e.g. docker0) can be excluded by an exclude list as first argument for this function. EOS - ) do |_args| + ) do |args| interfaces = lookupvar('interfaces') - if _args.size == 1 - if !_args[0].is_a?(Array) + if args.size == 1 + unless args[0].is_a?(Array) raise(Puppet::ParseError, 'ipaddresses(): Requires first argument to be a Array') end - interfaces_exclude = _args[0] + interfaces_exclude = args[0] else interfaces_exclude = [] end From 4cb92b0faa46fc4c50b125d40eb8fdf57dcb31f7 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sat, 6 Oct 2018 18:30:05 +0200 Subject: [PATCH 088/246] allow puppetlabs/stdlib 5.x --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 11cba264..632a4915 100644 --- a/metadata.json +++ b/metadata.json @@ -54,7 +54,7 @@ "dependencies": [ { "name": "puppetlabs/stdlib", - "version_requirement": ">= 4.24.0 < 5.0.0" + "version_requirement": ">= 4.24.0 < 6.0.0" }, { "name": "puppetlabs/concat", From 9b0b17c1f39b8962738833e6b1332a981361872f Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sat, 6 Oct 2018 18:30:32 +0200 Subject: [PATCH 089/246] allow puppetlabs/concat 5.x --- .fixtures.yml | 4 +--- metadata.json | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.fixtures.yml b/.fixtures.yml index 3082b125..185f53b7 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,8 +1,6 @@ fixtures: repositories: stdlib: "https://github.com/puppetlabs/puppetlabs-stdlib" - concat: - repo: "https://github.com/puppetlabs/puppetlabs-concat" - ref: "2.2.1" + concat: "https://github.com/puppetlabs/puppetlabs-concat" symlinks: ssh: "#{source_dir}" diff --git a/metadata.json b/metadata.json index 632a4915..73da8317 100644 --- a/metadata.json +++ b/metadata.json @@ -58,7 +58,7 @@ }, { "name": "puppetlabs/concat", - "version_requirement": ">= 2.2.0 < 5.0.0" + "version_requirement": ">= 2.2.0 < 6.0.0" } ] } From 83020458b0529360453cc2e48fc46bdeeb1db808 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sat, 6 Oct 2018 18:38:25 +0200 Subject: [PATCH 090/246] enable coverage reports --- spec/classes/coverage_spec.rb | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 spec/classes/coverage_spec.rb diff --git a/spec/classes/coverage_spec.rb b/spec/classes/coverage_spec.rb new file mode 100644 index 00000000..de446548 --- /dev/null +++ b/spec/classes/coverage_spec.rb @@ -0,0 +1,4 @@ +require 'rspec-puppet' + +at_exit { RSpec::Puppet::Coverage.report! } +# vim: syntax=ruby From 9560a4c4d293a5cd4d8cb5d93a804dad253ddf2d Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sat, 6 Oct 2018 18:39:29 +0200 Subject: [PATCH 091/246] require latest PSH to simplify .fixtures.yml --- .fixtures.yml | 2 -- Gemfile | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/.fixtures.yml b/.fixtures.yml index 3082b125..055c45fc 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -4,5 +4,3 @@ fixtures: concat: repo: "https://github.com/puppetlabs/puppetlabs-concat" ref: "2.2.1" - symlinks: - ssh: "#{source_dir}" diff --git a/Gemfile b/Gemfile index 3fc7731b..577f4876 100644 --- a/Gemfile +++ b/Gemfile @@ -11,7 +11,7 @@ def location_for(place, fake_version = nil) end group :test do - gem 'puppetlabs_spec_helper', require: false + gem 'puppetlabs_spec_helper', '>= 2.11.0', require: false gem 'rspec-puppet', require: false gem 'rspec-puppet-facts', require: false gem 'rspec-puppet-utils', require: false From 3ba8af997f20790ccaa5eedf28635ff079faac04 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sat, 6 Oct 2018 18:42:13 +0200 Subject: [PATCH 092/246] allow puppet 6.x --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 11cba264..78773199 100644 --- a/metadata.json +++ b/metadata.json @@ -40,7 +40,7 @@ "requirements": [ { "name": "puppet", - "version_requirement": ">= 4.10.10 < 6.0.0" + "version_requirement": ">= 4.10.10 < 7.0.0" } ], "name": "saz-ssh", From a1c6038538d9c678b844daf56f55d950c0fea343 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 13 Oct 2018 13:51:41 +0200 Subject: [PATCH 093/246] remove trailing comma in metadata.json --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 24f350c1..4da6c82d 100644 --- a/metadata.json +++ b/metadata.json @@ -60,5 +60,5 @@ "name": "puppet", "version_requirement": ">= 4.10.10 < 7.0.0" } - ], + ] } From f0dd3ddf0c10bdb86cae7bd6d97c6c4e709157b3 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sat, 13 Oct 2018 20:03:00 +0200 Subject: [PATCH 094/246] drop puppet 3 support --- manifests/client/config.pp | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/manifests/client/config.pp b/manifests/client/config.pp index 7ee1a8cd..7f7cff4c 100644 --- a/manifests/client/config.pp +++ b/manifests/client/config.pp @@ -17,15 +17,4 @@ require => Class['ssh::client::install'], } } - - # Workaround for https://tickets.puppetlabs.com/browse/PUP-1177. - # Fixed in Puppet 3.7.0 - if versioncmp($::puppetversion, '3.7.0') < 0 { - ensure_resource('file', '/etc/ssh/ssh_known_hosts', { - 'ensure' => 'file', - 'owner' => 0, - 'group' => 0, - 'mode' => '0644', - }) - } } From 5573b254e3fec1b93b61251d9bea0137210862ca Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Wed, 1 Mar 2017 11:18:12 +0100 Subject: [PATCH 095/246] Allow users to pass a username to defined resource From the initial commit in 1fbf6a78: this allows us to use this defined type as often as we want (which is the purpose of a defined type). Each usage of it creates an entry in $user/.ssh/config. This is not a breaking change since you can still use the resource as before. However, you can now call it multiple types by setting a unique name for it + providing user => $user as a parameter. Use case: define a block in each puppet profile you have. Notice: I needed to bump the concat dependency by a major release, this means that the next release of this software also should be a major one, even if the API of this module has no breaking changes. To use this feature it's required to call the defined resource multiple times. That requires different names for it. We cannot assume that the name of the defined resource is always a valid user. --- manifests/client/config/user.pp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/manifests/client/config/user.pp b/manifests/client/config/user.pp index 6b3d234d..6a2ef5e6 100644 --- a/manifests/client/config/user.pp +++ b/manifests/client/config/user.pp @@ -8,7 +8,8 @@ Optional[Stdlib::Absolutepath] $target = undef, Optional[Stdlib::Absolutepath] $user_home_dir = undef, Boolean $manage_user_ssh_dir = true, - Hash $options = {} + Hash $options = {}, + String[1] $user = $name, ) { @@ -22,7 +23,7 @@ } else { if ($user_home_dir == undef) { - $_user_home_dir = "/home/${name}" + $_user_home_dir = "/home/${user}" } else { $_user_home_dir = $user_home_dir @@ -35,7 +36,7 @@ unless defined(File[$user_ssh_dir]) { file { $user_ssh_dir: ensure => directory, - owner => $name, + owner => $user, mode => $::ssh::params::user_ssh_directory_default_mode, before => Concat_file[$_target], } @@ -46,7 +47,7 @@ unless defined(Concat_file[$_target]) { concat_file{$_target: ensure => $ensure, - owner => $name, + owner => $user, mode => $::ssh::params::user_ssh_config_default_mode, tag => $name, } From c9a364ca8b1fd9ba075ade67f46c9c4f41ac8591 Mon Sep 17 00:00:00 2001 From: Ger Apeldoorn Date: Mon, 19 Nov 2018 09:25:16 +0100 Subject: [PATCH 096/246] Allow deep merge for ssh::server::options I would like to deep merge SSH options, my AllowGroups configuration is defined in several layers in Hiera. Thanks! --- manifests/server.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server.pp b/manifests/server.pp index 36d294ce..1e435947 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -10,7 +10,7 @@ ) inherits ssh::params { # Merge hashes from multiple layer of hierarchy in hiera - $hiera_options = lookup("${module_name}::server::options", Optional[Hash], 'hash', undef) + $hiera_options = lookup("${module_name}::server::options", Optional[Hash], 'deep', undef) $hiera_match_block = lookup("${module_name}::server::match_block", Optional[Hash], 'hash', undef) $fin_match_block = $hiera_match_block ? { From 2c1a385694f7f1dc6eafaca04d49c099562bddd6 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 11 Dec 2018 14:19:20 +0100 Subject: [PATCH 097/246] use deep_merge to merge server and client options, fixes #261 --- manifests/client.pp | 8 ++------ manifests/init.pp | 37 +++++++++---------------------------- manifests/server.pp | 17 ++++------------- 3 files changed, 15 insertions(+), 47 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index baab5abf..a554eb86 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -7,13 +7,9 @@ ) inherits ssh::params { # Merge hashes from multiple layer of hierarchy in hiera - $hiera_options = lookup("${module_name}::client::options", Optional[Hash], 'hash', undef) + $hiera_options = lookup("${module_name}::client::options", Optional[Hash], 'deep', undef) - $fin_options = $hiera_options ? { - undef => $options, - '' => $options, - default => $hiera_options, - } + $fin_options = deep_merge($hiera_options, $options) if $use_augeas { $merged_options = sshclient_options_to_augeas_ssh_config($fin_options, $options_absent, { 'target' => $::ssh::params::ssh_config }) diff --git a/manifests/init.pp b/manifests/init.pp index cdbe2d03..923b28c7 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -15,34 +15,15 @@ ) inherits ssh::params { # Merge hashes from multiple layer of hierarchy in hiera - $hiera_server_options = lookup("${module_name}::server_options", Optional[Hash], 'hash', undef) - $hiera_server_match_block = lookup("${module_name}::server_match_block", Optional[Hash], 'hash', undef) - $hiera_client_options = lookup("${module_name}::client_options", Optional[Hash], 'hash', undef) - $hiera_users_client_options = lookup("${module_name}::users_client_options", Optional[Hash], 'hash', undef) - - $fin_server_options = $hiera_server_options ? { - undef => $server_options, - '' => $server_options, - default => $hiera_server_options, - } - - $fin_server_match_block = $hiera_server_match_block ? { - undef => $server_match_block, - '' => $server_match_block, - default => $hiera_server_match_block, - } - - $fin_client_options = $hiera_client_options ? { - undef => $client_options, - '' => $client_options, - default => $hiera_client_options, - } - - $fin_users_client_options = $hiera_users_client_options ? { - undef => $users_client_options, - '' => $users_client_options, - default => $hiera_users_client_options, - } + $hiera_server_options = lookup("${module_name}::server_options", Optional[Hash], 'deep', undef) + $hiera_server_match_block = lookup("${module_name}::server_match_block", Optional[Hash], 'deep', undef) + $hiera_client_options = lookup("${module_name}::client_options", Optional[Hash], 'deep', undef) + $hiera_users_client_options = lookup("${module_name}::users_client_options", Optional[Hash], 'deep', undef) + + $fin_server_options = deep_merge($hiera_server_options, $server_options) + $fin_server_match_block = deep_merge($hiera_server_match_block, $server_match_block) + $fin_client_options = deep_merge($hiera_client_options, $client_options) + $fin_users_client_options = deep_merge($hiera_users_client_options, $users_client_options) class { '::ssh::server': ensure => $version, diff --git a/manifests/server.pp b/manifests/server.pp index 1e435947..e7f65a5a 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -11,24 +11,15 @@ # Merge hashes from multiple layer of hierarchy in hiera $hiera_options = lookup("${module_name}::server::options", Optional[Hash], 'deep', undef) - $hiera_match_block = lookup("${module_name}::server::match_block", Optional[Hash], 'hash', undef) + $hiera_match_block = lookup("${module_name}::server::match_block", Optional[Hash], 'deep', undef) - $fin_match_block = $hiera_match_block ? { - undef => $match_block, - '' => $match_block, - default => $hiera_match_block, - } - - $fin_options = $hiera_options ? { - undef => $options, - '' => $options, - default => $hiera_options, - } + $fin_options = deep_merge($hiera_options, $options) + $fin_match_block = deep_merge($hiera_match_block, $match_block) if $use_augeas { $merged_options = sshserver_options_to_augeas_sshd_config($fin_options, $options_absent, { 'target' => $::ssh::params::sshd_config }) } else { - $merged_options = merge($ssh::params::sshd_default_options, $fin_options) + $merged_options = deep_merge($ssh::params::sshd_default_options, $fin_options) } include ::ssh::server::install From f52025107b5db99ec86c24a55a82492b80caf7c1 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Thu, 13 Dec 2018 14:19:37 +0100 Subject: [PATCH 098/246] remove emtpy site.pp, fixes #259 --- manifests/site.pp | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 manifests/site.pp diff --git a/manifests/site.pp b/manifests/site.pp deleted file mode 100644 index e69de29b..00000000 From f75a4713c462ef3a91a4bee6c04d04a8d173fc92 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Thu, 13 Dec 2018 17:02:40 +0100 Subject: [PATCH 099/246] collect all ipaddresses of an interface, add exclude_ipaddresses parameter, fixes #267 --- lib/puppet/parser/functions/ipaddresses.rb | 45 ++++++++-------------- manifests/hostkeys.pp | 14 ++++--- 2 files changed, 24 insertions(+), 35 deletions(-) diff --git a/lib/puppet/parser/functions/ipaddresses.rb b/lib/puppet/parser/functions/ipaddresses.rb index 2f27fe69..9d9ff6cb 100644 --- a/lib/puppet/parser/functions/ipaddresses.rb +++ b/lib/puppet/parser/functions/ipaddresses.rb @@ -5,43 +5,30 @@ module Puppet::Parser::Functions first argument for this function. EOS ) do |args| - interfaces = lookupvar('interfaces') + networking = lookupvar('networking') + # always exclude loopback interface + interfaces_exclude = ['lo'] if args.size == 1 unless args[0].is_a?(Array) - raise(Puppet::ParseError, 'ipaddresses(): Requires first argument to be a Array') + raise(Puppet::ParseError, 'ipaddresses(): Requires first argument to be an Array') end - interfaces_exclude = args[0] - else - interfaces_exclude = [] + interfaces_exclude << args[0] end - # In Puppet v2.7, lookupvar returns :undefined if the variable does - # not exist. In Puppet 3.x, it returns nil. - # See http://docs.puppetlabs.com/guides/custom_functions.html - return false if interfaces.nil? || interfaces == :undefined + return false if not networking.include?('interfaces') result = [] - if interfaces.count(',') > 0 - interfaces = interfaces.split(',') - interfaces.each do |iface| - next if iface.include?('lo') - skip_iface = false - interfaces_exclude.each do |iface_exclude| - skip_iface = true if iface.include?(iface_exclude) + networking['interfaces'].each do |iface, data| + # skip excluded interfaces + next if interfaces_exclude.include?(iface) + + ['bindings', 'bindings6'].each do |binding_type| + next if not data.key?(binding_type) + data[binding_type].each do |binding| + next if not binding.key?('address') + result << binding['address'] end - next if skip_iface == true - ipaddr = lookupvar("ipaddress_#{iface}") - ipaddr6 = lookupvar("ipaddress6_#{iface}") - result << ipaddr if ipaddr && (ipaddr != :undefined) - result << ipaddr6 if ipaddr6 && (ipaddr6 != :undefined) - end - else - unless interfaces.include?('lo') - ipaddr = lookupvar("ipaddress_#{interfaces}") - ipaddr6 = lookupvar("ipaddress6_#{interfaces}") - result << ipaddr if ipaddr && (ipaddr != :undefined) - result << ipaddr6 if ipaddr6 && (ipaddr6 != :undefined) end end @@ -49,6 +36,6 @@ module Puppet::Parser::Functions fe8064 = IPAddr.new('fe80::/64') result.delete_if { |ip| fe8064.include? IPAddr.new(ip) } - return result + return result.uniq end end diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index aead6663..78169371 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -1,16 +1,18 @@ # Class ssh::hostkeys class ssh::hostkeys( - Boolean $export_ipaddresses = true, - Optional[String] $storeconfigs_group = undef, - Array $extra_aliases = [], - Array $exclude_interfaces = [], + Boolean $export_ipaddresses = true, + Optional[String] $storeconfigs_group = undef, + Array $extra_aliases = [], + Array $exclude_interfaces = [], + Array $exclude_ipaddresses = [], ) { if $export_ipaddresses == true { $ipaddresses = ipaddresses($exclude_interfaces) - $host_aliases = flatten([ $::fqdn, $::hostname, $extra_aliases, $ipaddresses ]) + $ipaddresses_real = delete($ipaddresses, $exclude_ipaddresses) + $host_aliases = unique(flatten([ $::fqdn, $::hostname, $extra_aliases, $ipaddresses_real ])) } else { - $host_aliases = flatten([ $::fqdn, $::hostname, $extra_aliases]) + $host_aliases = unique(flatten([ $::fqdn, $::hostname, $extra_aliases])) } if $storeconfigs_group { From a1a3e9bb9f1bc5194e2929bf81a3e98e48c284c2 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Fri, 14 Dec 2018 15:03:42 +0100 Subject: [PATCH 100/246] refactor ssh::hostkeys a little bit --- manifests/hostkeys.pp | 68 ++++++++++++------------------------------- 1 file changed, 19 insertions(+), 49 deletions(-) diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index 78169371..a276a5d5 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -8,8 +8,7 @@ ) { if $export_ipaddresses == true { - $ipaddresses = ipaddresses($exclude_interfaces) - $ipaddresses_real = delete($ipaddresses, $exclude_ipaddresses) + $ipaddresses_real = delete(ipaddresses($exclude_interfaces), $exclude_ipaddresses) $host_aliases = unique(flatten([ $::fqdn, $::hostname, $extra_aliases, $ipaddresses_real ])) } else { $host_aliases = unique(flatten([ $::fqdn, $::hostname, $extra_aliases])) @@ -19,54 +18,25 @@ tag 'hostkey_all', "hostkey_${storeconfigs_group}" } - if defined('$::sshdsakey') { - @@sshkey { "${::fqdn}_dsa": - ensure => present, - host_aliases => $host_aliases, - type => dsa, - key => $::sshdsakey, + ['dsa', 'rsa', 'ecdsa', 'ed25519'].each |String $key_type| { + if $key_type == 'ecdsa' { + $key_type_real = 'ecdsa-sha2-nistp256' + } else { + $key_type_real = $key_type } - } else { - @@sshkey { "${::fqdn}_dsa": - ensure => absent, - } - } - if defined('$::sshrsakey') { - @@sshkey { "${::fqdn}_rsa": - ensure => present, - host_aliases => $host_aliases, - type => rsa, - key => $::sshrsakey, - } - } else { - @@sshkey { "${::fqdn}_rsa": - ensure => absent, - } - } - if defined('$::sshecdsakey') { - @@sshkey { "${::fqdn}_ecdsa": - ensure => present, - host_aliases => $host_aliases, - type => 'ecdsa-sha2-nistp256', - key => $::sshecdsakey, - } - } else { - @@sshkey { "${::fqdn}_ecdsa": - ensure => absent, - type => 'ecdsa-sha2-nistp256', - } - } - if defined('$::sshed25519key') { - @@sshkey { "${::fqdn}_ed25519": - ensure => present, - host_aliases => $host_aliases, - type => 'ed25519', - key => $::sshed25519key, - } - } else { - @@sshkey { "${::fqdn}_ed25519": - ensure => absent, - type => 'ed25519', + + if $key_type in $facts['ssh'] { + @@sshkey { "${::fqdn}_${key_type}": + ensure => present, + host_aliases => $host_aliases, + type => $key_type_real, + key => $facts['ssh'][$key_type]['key'], + } + } else { + @@sshkey { "${::fqdn}_${key_type}": + ensure => absent, + type => $key_type_real, + } } } } From 376e938d4425c5aa29ff3277018e91ab9c015758 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Fri, 14 Dec 2018 15:44:12 +0100 Subject: [PATCH 101/246] some whitespace and style changes --- manifests/client/config.pp | 2 -- manifests/client/config/user.pp | 14 +++++--------- manifests/knownhosts.pp | 2 +- manifests/server/config.pp | 4 ++-- manifests/server/host_key.pp | 20 ++++++++++---------- spec/defines/server/host_key_spec.rb | 22 +++++++++++----------- 6 files changed, 29 insertions(+), 35 deletions(-) diff --git a/manifests/client/config.pp b/manifests/client/config.pp index 7f7cff4c..5aa1f0fb 100644 --- a/manifests/client/config.pp +++ b/manifests/client/config.pp @@ -4,9 +4,7 @@ $use_augeas = $::ssh::client::use_augeas if $use_augeas { - create_resources('ssh_config', $options) - } else { file { $ssh::params::ssh_config: ensure => present, diff --git a/manifests/client/config/user.pp b/manifests/client/config/user.pp index 6a2ef5e6..04c1f814 100644 --- a/manifests/client/config/user.pp +++ b/manifests/client/config/user.pp @@ -10,9 +10,7 @@ Boolean $manage_user_ssh_dir = true, Hash $options = {}, String[1] $user = $name, -) -{ - +) { include ::ssh::params # If a specific target file was specified, @@ -20,12 +18,10 @@ # other parameter. if ($target != undef) { $_target = $target - } - else { + } else { if ($user_home_dir == undef) { $_user_home_dir = "/home/${user}" - } - else { + } else { $_user_home_dir = $user_home_dir } @@ -45,14 +41,14 @@ } unless defined(Concat_file[$_target]) { - concat_file{$_target: + concat_file { $_target: ensure => $ensure, owner => $user, mode => $::ssh::params::user_ssh_config_default_mode, tag => $name, } } - concat_fragment{$name: + concat_fragment { $name: tag => $name, content => template("${module_name}/ssh_config.erb"), target => $_target, diff --git a/manifests/knownhosts.pp b/manifests/knownhosts.pp index 3ffdbe47..19c92131 100644 --- a/manifests/knownhosts.pp +++ b/manifests/knownhosts.pp @@ -4,7 +4,7 @@ ) inherits ssh::params { if ($collect_enabled) { if $storeconfigs_group { - Sshkey <<| tag == "hostkey_${storeconfigs_group}" |>> + Sshkey <<| tag == "hostkey_${storeconfigs_group}" |>> } else { Sshkey <<| |>> } diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 4be65ae1..1236c2e4 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -15,8 +15,8 @@ } else { concat { $ssh::params::sshd_config: ensure => present, - owner => '0', - group => '0', + owner => 0, + group => 0, mode => '0600', validate_cmd => $sshd_validate_cmd, notify => Service[$ssh::params::service_name], diff --git a/manifests/server/host_key.pp b/manifests/server/host_key.pp index 217ede81..0f01accf 100644 --- a/manifests/server/host_key.pp +++ b/manifests/server/host_key.pp @@ -86,8 +86,8 @@ if $ensure == 'present' { file {"${name}_pub": ensure => $ensure, - owner => 'root', - group => 'root', + owner => 0, + group => 0, mode => '0644', path => "${::ssh::params::sshd_dir}/${name}.pub", source => $manage_pub_key_source, @@ -97,7 +97,7 @@ file {"${name}_priv": ensure => $ensure, - owner => 'root', + owner => 0, group => $::ssh::params::host_priv_key_group, mode => '0600', path => "${::ssh::params::sshd_dir}/${name}", @@ -108,8 +108,8 @@ } else { file {"${name}_pub": ensure => $ensure, - owner => 'root', - group => 'root', + owner => 0, + group => 0, mode => '0644', path => "${::ssh::params::sshd_dir}/${name}.pub", notify => Class['ssh::server::service'], @@ -117,7 +117,7 @@ file {"${name}_priv": ensure => $ensure, - owner => 'root', + owner => 0, group => $::ssh::params::host_priv_key_group, mode => '0600', path => "${::ssh::params::sshd_dir}/${name}", @@ -129,8 +129,8 @@ if $ensure == 'present' { file {"${name}_cert": ensure => $ensure, - owner => 'root', - group => 'root', + owner => 0, + group => 0, mode => '0644', path => "${::ssh::params::sshd_dir}/${name}-cert.pub", source => $manage_cert_source, @@ -140,8 +140,8 @@ } else { file {"${name}_cert": ensure => $ensure, - owner => 'root', - group => 'root', + owner => 0, + group => 0, mode => '0644', path => "${::ssh::params::sshd_dir}/${name}-cert.pub", notify => Class['ssh::server::service'], diff --git a/spec/defines/server/host_key_spec.rb b/spec/defines/server/host_key_spec.rb index 7cb50aa8..108c7019 100644 --- a/spec/defines/server/host_key_spec.rb +++ b/spec/defines/server/host_key_spec.rb @@ -36,22 +36,22 @@ is_expected.to contain_file('something_pub'). with_content('abc'). with_ensure('present'). - with_owner('root'). - with_group('root'). + with_owner(0). + with_group(0). with_mode('0644'). with_path('/etc/ssh/something.pub') is_expected.to contain_file('something_priv'). with_content('bcd'). with_ensure('present'). - with_owner('root'). + with_owner(0). with_group('root'). with_mode('0600'). with_path('/etc/ssh/something') is_expected.to contain_file('something_cert'). with_content('cde'). with_ensure('present'). - with_owner('root'). - with_group('root'). + with_owner(0). + with_group(0). with_mode('0644'). with_path('/etc/ssh/something-cert.pub') end @@ -69,14 +69,14 @@ is_expected.to contain_file('something_pub'). with_content('abc'). with_ensure('present'). - with_owner('root'). - with_group('root'). + with_owner(0). + with_group(0). with_mode('0644'). with_path('/etc/ssh/something.pub') is_expected.to contain_file('something_priv'). with_content('bcd'). with_ensure('present'). - with_owner('root'). + with_owner(0). with_group('root'). with_mode('0600'). with_path('/etc/ssh/something') @@ -99,15 +99,15 @@ without_content. with_source('a'). with_ensure('present'). - with_owner('root'). - with_group('root'). + with_owner(0). + with_group(0). with_mode('0644'). with_path('/etc/ssh/something.pub') is_expected.to contain_file('something_priv'). without_content. with_source('b'). with_ensure('present'). - with_owner('root'). + with_owner(0). with_group('root'). with_mode('0600'). with_path('/etc/ssh/something') From 0cc1b1f1a14668f4a08d17a6887cb405b610161d Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Fri, 14 Dec 2018 15:44:43 +0100 Subject: [PATCH 102/246] use ensure_packages in server/client install.pp --- manifests/client/install.pp | 6 +----- manifests/server/install.pp | 6 +----- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/manifests/client/install.pp b/manifests/client/install.pp index 86771d77..11f0d2bd 100644 --- a/manifests/client/install.pp +++ b/manifests/client/install.pp @@ -1,9 +1,5 @@ class ssh::client::install { if $ssh::params::client_package_name { - if !defined(Package[$ssh::params::client_package_name]) { - package { $ssh::params::client_package_name: - ensure => $ssh::client::ensure, - } - } + ensure_packages([$ssh::params::client_package_name], {'ensure' => $ssh::client::ensure}) } } diff --git a/manifests/server/install.pp b/manifests/server/install.pp index 6841bf51..973825d9 100644 --- a/manifests/server/install.pp +++ b/manifests/server/install.pp @@ -1,10 +1,6 @@ class ssh::server::install { include ::ssh::params if $ssh::params::server_package_name { - if !defined(Package[$ssh::params::server_package_name]) { - package { $ssh::params::server_package_name: - ensure => $ssh::server::ensure, - } - } + ensure_packages([$ssh::params::server_package_name], {'ensure' => $ssh::server::ensure}) } } From 1e7922bcfef96d8a4a2f8b73ffaa0ecbba7b9435 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Fri, 14 Dec 2018 15:59:01 +0100 Subject: [PATCH 103/246] add comment for special handling of ecdsa key --- manifests/hostkeys.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index a276a5d5..3bd2e90c 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -19,6 +19,8 @@ } ['dsa', 'rsa', 'ecdsa', 'ed25519'].each |String $key_type| { + # can be removed as soon as we drop support for puppet 4 + # see https://tickets.puppetlabs.com/browse/FACT-1377?jql=project%20%3D%20FACT%20AND%20fixVersion%20%3D%20%22FACT%203.12.0%22 if $key_type == 'ecdsa' { $key_type_real = 'ecdsa-sha2-nistp256' } else { From 7f037981c32e9c3928a59f1349f42279b807789f Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sat, 15 Dec 2018 02:15:14 +0100 Subject: [PATCH 104/246] rubocop: autofix --- lib/puppet/parser/functions/ipaddresses.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/puppet/parser/functions/ipaddresses.rb b/lib/puppet/parser/functions/ipaddresses.rb index 9d9ff6cb..432871d8 100644 --- a/lib/puppet/parser/functions/ipaddresses.rb +++ b/lib/puppet/parser/functions/ipaddresses.rb @@ -16,17 +16,17 @@ module Puppet::Parser::Functions interfaces_exclude << args[0] end - return false if not networking.include?('interfaces') + return false unless networking.include?('interfaces') result = [] networking['interfaces'].each do |iface, data| # skip excluded interfaces next if interfaces_exclude.include?(iface) - ['bindings', 'bindings6'].each do |binding_type| - next if not data.key?(binding_type) + %w[bindings bindings6].each do |binding_type| + next unless data.key?(binding_type) data[binding_type].each do |binding| - next if not binding.key?('address') + next unless binding.key?('address') result << binding['address'] end end From 12efd1746e62d1b1047d484530fb66e87741b1b7 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 17 Dec 2018 15:02:01 +0100 Subject: [PATCH 105/246] use structured fact networking within spec tests --- spec/classes/client_spec.rb | 10 ------ spec/classes/init_spec.rb | 36 ---------------------- spec/classes/server_spec.rb | 36 ---------------------- spec/defines/client/config/user_spec.rb | 1 - spec/defines/server/config/setting_spec.rb | 9 ------ spec/defines/server/host_key_spec.rb | 9 ------ spec/spec_helper.rb | 30 ++++++++++++++++++ 7 files changed, 30 insertions(+), 101 deletions(-) diff --git a/spec/classes/client_spec.rb b/spec/classes/client_spec.rb index 9b902b7d..6852e489 100644 --- a/spec/classes/client_spec.rb +++ b/spec/classes/client_spec.rb @@ -5,11 +5,6 @@ let :facts do { osfamily: 'Debian', - interfaces: 'eth0', - ipaddress_eth0: '192.168.1.1', - ipaddress6_eth0: '::1', - concat_basedir: '/tmp', - puppetversion: '3.7.0' } end @@ -21,11 +16,6 @@ let :facts do { osfamily: 'Debian', - interfaces: 'eth0', - ipaddress_eth0: '192.168.1.1', - ipaddress6_eth0: '::1', - concat_basedir: '/tmp', - puppetversion: '3.7.0' } end let :params do diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 8a8ebab5..4f2b46be 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -5,18 +5,6 @@ let :facts do { osfamily: 'Debian', - interfaces: 'eth0', - ipaddress_eth0: '192.168.1.1', - ipaddress6_eth0: '::1', - concat_basedir: '/tmp', - puppetversion: '3.7.0', - sshdsakey: 'AAAAB3NzaC1kc3MAAACBAODCvvUUnv2imW4cfuLBWVJTLMzds89MtCUXGl3+7Gza5QYJmp7GSkKBnV8+7XI+JAmjv0RKQM1RAn7mV5UplRTtg3CYbeNkX4IakZmNJLTdL4vUyIehhaxBobpOtBaJfFewCJE1plIaWvoWfEDrShcjIUbUbJMfR8YWweIIqp9bAAAAFQCr8+KRfOUZbS9Dz1t15A/Owl61VQAAAIBr/7hNPCvjzAl5+rde6jUR5k20pxAE+z2wsaZxlhrs6ZhhplyCKIXKq4rCx4QuFVPh/c+WJRPO56iH/rSh5Y5cpT1LUk66wNJcOBPprjvDEHfQUHUmfYXzNJ2BHkRL78lfzQr52YyowV6dHfktv0VsIctm13KcMr2KQygZtV6EqgAAAIEAjNC4PRdzYpWfxu268CJDpexlhBwIkIx+ovEibtYeke55qAQcF9UWko4A1c8Wf4nLLxlQYCf501Bt5lb6GmZd0xfpg27fPIfzZPL8o+E756D3ZcNXUaLj4HPRKnwNcdAtChL2jESH3fm8PyNwBI7tV6IOjmOGpyQKtmJq3IyNgms=', - sshrsakey: 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDzA57hAMwz6pywCgxNUcloWeNMvBo2PDPxK2RCegst+9tYaf4S3shnM9a1j2PGBoeRXTuUG6mYB32fJm6/37UUUJA4lT+8CZ3hNnDZU9aitpukkKon7RIlvY1PWO8wT4A5mEa0hfdQg6Um8KZZUs+jrB+8zMJO/X0fmleY54r/JKrP3hNcpaJpTUVQEvMmKacW7nYez/PvWKAz8d02uAOXuauGKhZ9K2AHYKlQFqJ4S1jLiduoGFWxFQ2vQybbN/O0PQQU7EZlHIjSzwoowZLzlxCKCZcKnoDsbGCtYHArbjxTb+m5e7nvsamz7TXLoY90Srmc5QGMxrLUlSvkYsm5', - sshecdsakey: 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDrof0LPA0hGuwODy+5uTynV7rgPJspvZo2TzykBu5mSANJvdL1z5/JS3x16/c/cDjx2lfEkRoVDnon4/NjKEM=', - sshed25519key: '', - id: 'root', - is_pe: false, - path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games' } end @@ -38,18 +26,6 @@ let :facts do { osfamily: 'Debian', - interfaces: 'eth0', - ipaddress_eth0: '192.168.1.1', - ipaddress6_eth0: '::1', - concat_basedir: '/tmp', - puppetversion: '3.7.0', - sshdsakey: 'AAAAB3NzaC1kc3MAAACBAODCvvUUnv2imW4cfuLBWVJTLMzds89MtCUXGl3+7Gza5QYJmp7GSkKBnV8+7XI+JAmjv0RKQM1RAn7mV5UplRTtg3CYbeNkX4IakZmNJLTdL4vUyIehhaxBobpOtBaJfFewCJE1plIaWvoWfEDrShcjIUbUbJMfR8YWweIIqp9bAAAAFQCr8+KRfOUZbS9Dz1t15A/Owl61VQAAAIBr/7hNPCvjzAl5+rde6jUR5k20pxAE+z2wsaZxlhrs6ZhhplyCKIXKq4rCx4QuFVPh/c+WJRPO56iH/rSh5Y5cpT1LUk66wNJcOBPprjvDEHfQUHUmfYXzNJ2BHkRL78lfzQr52YyowV6dHfktv0VsIctm13KcMr2KQygZtV6EqgAAAIEAjNC4PRdzYpWfxu268CJDpexlhBwIkIx+ovEibtYeke55qAQcF9UWko4A1c8Wf4nLLxlQYCf501Bt5lb6GmZd0xfpg27fPIfzZPL8o+E756D3ZcNXUaLj4HPRKnwNcdAtChL2jESH3fm8PyNwBI7tV6IOjmOGpyQKtmJq3IyNgms=', - sshrsakey: 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDzA57hAMwz6pywCgxNUcloWeNMvBo2PDPxK2RCegst+9tYaf4S3shnM9a1j2PGBoeRXTuUG6mYB32fJm6/37UUUJA4lT+8CZ3hNnDZU9aitpukkKon7RIlvY1PWO8wT4A5mEa0hfdQg6Um8KZZUs+jrB+8zMJO/X0fmleY54r/JKrP3hNcpaJpTUVQEvMmKacW7nYez/PvWKAz8d02uAOXuauGKhZ9K2AHYKlQFqJ4S1jLiduoGFWxFQ2vQybbN/O0PQQU7EZlHIjSzwoowZLzlxCKCZcKnoDsbGCtYHArbjxTb+m5e7nvsamz7TXLoY90Srmc5QGMxrLUlSvkYsm5', - sshecdsakey: 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDrof0LPA0hGuwODy+5uTynV7rgPJspvZo2TzykBu5mSANJvdL1z5/JS3x16/c/cDjx2lfEkRoVDnon4/NjKEM=', - sshed25519key: '', - id: 'root', - is_pe: false, - path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games' } end let :params do @@ -69,18 +45,6 @@ standard_facts = { osfamily: 'Debian', - interfaces: 'eth0', - ipaddress_eth0: '192.168.1.1', - ipaddress6_eth0: '::1', - concat_basedir: '/tmp', - puppetversion: '3.7.0', - sshdsakey: 'AAAAB3NzaC1kc3MAAACBAODCvvUUnv2imW4cfuLBWVJTLMzds89MtCUXGl3+7Gza5QYJmp7GSkKBnV8+7XI+JAmjv0RKQM1RAn7mV5UplRTtg3CYbeNkX4IakZmNJLTdL4vUyIehhaxBobpOtBaJfFewCJE1plIaWvoWfEDrShcjIUbUbJMfR8YWweIIqp9bAAAAFQCr8+KRfOUZbS9Dz1t15A/Owl61VQAAAIBr/7hNPCvjzAl5+rde6jUR5k20pxAE+z2wsaZxlhrs6ZhhplyCKIXKq4rCx4QuFVPh/c+WJRPO56iH/rSh5Y5cpT1LUk66wNJcOBPprjvDEHfQUHUmfYXzNJ2BHkRL78lfzQr52YyowV6dHfktv0VsIctm13KcMr2KQygZtV6EqgAAAIEAjNC4PRdzYpWfxu268CJDpexlhBwIkIx+ovEibtYeke55qAQcF9UWko4A1c8Wf4nLLxlQYCf501Bt5lb6GmZd0xfpg27fPIfzZPL8o+E756D3ZcNXUaLj4HPRKnwNcdAtChL2jESH3fm8PyNwBI7tV6IOjmOGpyQKtmJq3IyNgms=', - sshrsakey: 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDzA57hAMwz6pywCgxNUcloWeNMvBo2PDPxK2RCegst+9tYaf4S3shnM9a1j2PGBoeRXTuUG6mYB32fJm6/37UUUJA4lT+8CZ3hNnDZU9aitpukkKon7RIlvY1PWO8wT4A5mEa0hfdQg6Um8KZZUs+jrB+8zMJO/X0fmleY54r/JKrP3hNcpaJpTUVQEvMmKacW7nYez/PvWKAz8d02uAOXuauGKhZ9K2AHYKlQFqJ4S1jLiduoGFWxFQ2vQybbN/O0PQQU7EZlHIjSzwoowZLzlxCKCZcKnoDsbGCtYHArbjxTb+m5e7nvsamz7TXLoY90Srmc5QGMxrLUlSvkYsm5', - sshecdsakey: 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDrof0LPA0hGuwODy+5uTynV7rgPJspvZo2TzykBu5mSANJvdL1z5/JS3x16/c/cDjx2lfEkRoVDnon4/NjKEM=', - sshed25519key: '', - id: 'root', - is_pe: false, - path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games' } context 'When on Debian without resource purging' do diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index 9757af89..0e3c59cb 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -21,18 +21,6 @@ { osfamily: 'RedHat', operatingsystemmajrelease: '6', - interfaces: 'eth0', - ipaddress_eth0: '192.168.1.1', - ipaddress6_eth0: '::1', - concat_basedir: '/tmp', - puppetversion: '3.7.0', - sshdsakey: 'AAAAB3NzaC1kc3MAAACBAODCvvUUnv2imW4cfuLBWVJTLMzds89MtCUXGl3+7Gza5QYJmp7GSkKBnV8+7XI+JAmjv0RKQM1RAn7mV5UplRTtg3CYbeNkX4IakZmNJLTdL4vUyIehhaxBobpOtBaJfFewCJE1plIaWvoWfEDrShcjIUbUbJMfR8YWweIIqp9bAAAAFQCr8+KRfOUZbS9Dz1t15A/Owl61VQAAAIBr/7hNPCvjzAl5+rde6jUR5k20pxAE+z2wsaZxlhrs6ZhhplyCKIXKq4rCx4QuFVPh/c+WJRPO56iH/rSh5Y5cpT1LUk66wNJcOBPprjvDEHfQUHUmfYXzNJ2BHkRL78lfzQr52YyowV6dHfktv0VsIctm13KcMr2KQygZtV6EqgAAAIEAjNC4PRdzYpWfxu268CJDpexlhBwIkIx+ovEibtYeke55qAQcF9UWko4A1c8Wf4nLLxlQYCf501Bt5lb6GmZd0xfpg27fPIfzZPL8o+E756D3ZcNXUaLj4HPRKnwNcdAtChL2jESH3fm8PyNwBI7tV6IOjmOGpyQKtmJq3IyNgms=', - sshrsakey: 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDzA57hAMwz6pywCgxNUcloWeNMvBo2PDPxK2RCegst+9tYaf4S3shnM9a1j2PGBoeRXTuUG6mYB32fJm6/37UUUJA4lT+8CZ3hNnDZU9aitpukkKon7RIlvY1PWO8wT4A5mEa0hfdQg6Um8KZZUs+jrB+8zMJO/X0fmleY54r/JKrP3hNcpaJpTUVQEvMmKacW7nYez/PvWKAz8d02uAOXuauGKhZ9K2AHYKlQFqJ4S1jLiduoGFWxFQ2vQybbN/O0PQQU7EZlHIjSzwoowZLzlxCKCZcKnoDsbGCtYHArbjxTb+m5e7nvsamz7TXLoY90Srmc5QGMxrLUlSvkYsm5', - sshecdsakey: 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDrof0LPA0hGuwODy+5uTynV7rgPJspvZo2TzykBu5mSANJvdL1z5/JS3x16/c/cDjx2lfEkRoVDnon4/NjKEM=', - sshed25519key: '', - id: 'root', - is_pe: false, - path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games' } end @@ -77,18 +65,6 @@ let :facts do { osfamily: osfamily, - interfaces: 'eth0', - ipaddress_eth0: '192.168.1.1', - ipaddress6_eth0: '::1', - concat_basedir: '/tmp', - puppetversion: '3.7.0', - sshdsakey: 'AAAAB3NzaC1kc3MAAACBAODCvvUUnv2imW4cfuLBWVJTLMzds89MtCUXGl3+7Gza5QYJmp7GSkKBnV8+7XI+JAmjv0RKQM1RAn7mV5UplRTtg3CYbeNkX4IakZmNJLTdL4vUyIehhaxBobpOtBaJfFewCJE1plIaWvoWfEDrShcjIUbUbJMfR8YWweIIqp9bAAAAFQCr8+KRfOUZbS9Dz1t15A/Owl61VQAAAIBr/7hNPCvjzAl5+rde6jUR5k20pxAE+z2wsaZxlhrs6ZhhplyCKIXKq4rCx4QuFVPh/c+WJRPO56iH/rSh5Y5cpT1LUk66wNJcOBPprjvDEHfQUHUmfYXzNJ2BHkRL78lfzQr52YyowV6dHfktv0VsIctm13KcMr2KQygZtV6EqgAAAIEAjNC4PRdzYpWfxu268CJDpexlhBwIkIx+ovEibtYeke55qAQcF9UWko4A1c8Wf4nLLxlQYCf501Bt5lb6GmZd0xfpg27fPIfzZPL8o+E756D3ZcNXUaLj4HPRKnwNcdAtChL2jESH3fm8PyNwBI7tV6IOjmOGpyQKtmJq3IyNgms=', - sshrsakey: 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDzA57hAMwz6pywCgxNUcloWeNMvBo2PDPxK2RCegst+9tYaf4S3shnM9a1j2PGBoeRXTuUG6mYB32fJm6/37UUUJA4lT+8CZ3hNnDZU9aitpukkKon7RIlvY1PWO8wT4A5mEa0hfdQg6Um8KZZUs+jrB+8zMJO/X0fmleY54r/JKrP3hNcpaJpTUVQEvMmKacW7nYez/PvWKAz8d02uAOXuauGKhZ9K2AHYKlQFqJ4S1jLiduoGFWxFQ2vQybbN/O0PQQU7EZlHIjSzwoowZLzlxCKCZcKnoDsbGCtYHArbjxTb+m5e7nvsamz7TXLoY90Srmc5QGMxrLUlSvkYsm5', - sshecdsakey: 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDrof0LPA0hGuwODy+5uTynV7rgPJspvZo2TzykBu5mSANJvdL1z5/JS3x16/c/cDjx2lfEkRoVDnon4/NjKEM=', - sshed25519key: '', - id: 'root', - is_pe: false, - path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games' } end @@ -127,18 +103,6 @@ osfamily: 'Archlinux', lsbdistdescription: 'Arch Linux', lsbdistid: 'Arch', - interfaces: 'enp4s0', - ipaddress_enp4s0: '192.168.1.1', - ipaddress6_enp4s0: '::1', - concat_basedir: '/tmp', - puppetversion: '3.7.0', - sshdsakey: 'AAAAB3NzaC1kc3MAAACBAODCvvUUnv2imW4cfuLBWVJTLMzds89MtCUXGl3+7Gza5QYJmp7GSkKBnV8+7XI+JAmjv0RKQM1RAn7mV5UplRTtg3CYbeNkX4IakZmNJLTdL4vUyIehhaxBobpOtBaJfFewCJE1plIaWvoWfEDrShcjIUbUbJMfR8YWweIIqp9bAAAAFQCr8+KRfOUZbS9Dz1t15A/Owl61VQAAAIBr/7hNPCvjzAl5+rde6jUR5k20pxAE+z2wsaZxlhrs6ZhhplyCKIXKq4rCx4QuFVPh/c+WJRPO56iH/rSh5Y5cpT1LUk66wNJcOBPprjvDEHfQUHUmfYXzNJ2BHkRL78lfzQr52YyowV6dHfktv0VsIctm13KcMr2KQygZtV6EqgAAAIEAjNC4PRdzYpWfxu268CJDpexlhBwIkIx+ovEibtYeke55qAQcF9UWko4A1c8Wf4nLLxlQYCf501Bt5lb6GmZd0xfpg27fPIfzZPL8o+E756D3ZcNXUaLj4HPRKnwNcdAtChL2jESH3fm8PyNwBI7tV6IOjmOGpyQKtmJq3IyNgms=', - sshrsakey: 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDzA57hAMwz6pywCgxNUcloWeNMvBo2PDPxK2RCegst+9tYaf4S3shnM9a1j2PGBoeRXTuUG6mYB32fJm6/37UUUJA4lT+8CZ3hNnDZU9aitpukkKon7RIlvY1PWO8wT4A5mEa0hfdQg6Um8KZZUs+jrB+8zMJO/X0fmleY54r/JKrP3hNcpaJpTUVQEvMmKacW7nYez/PvWKAz8d02uAOXuauGKhZ9K2AHYKlQFqJ4S1jLiduoGFWxFQ2vQybbN/O0PQQU7EZlHIjSzwoowZLzlxCKCZcKnoDsbGCtYHArbjxTb+m5e7nvsamz7TXLoY90Srmc5QGMxrLUlSvkYsm5', - sshecdsakey: 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDrof0LPA0hGuwODy+5uTynV7rgPJspvZo2TzykBu5mSANJvdL1z5/JS3x16/c/cDjx2lfEkRoVDnon4/NjKEM=', - sshed25519key: '', - id: 'root', - is_pe: false, - path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games' } end diff --git a/spec/defines/client/config/user_spec.rb b/spec/defines/client/config/user_spec.rb index e3fb6226..ad49d69e 100644 --- a/spec/defines/client/config/user_spec.rb +++ b/spec/defines/client/config/user_spec.rb @@ -19,7 +19,6 @@ { osfamily: 'RedHat', operatingsystemmajrelease: '6', - concat_basedir: '/tmp' } end diff --git a/spec/defines/server/config/setting_spec.rb b/spec/defines/server/config/setting_spec.rb index 1fe0a4a6..8b4d1674 100644 --- a/spec/defines/server/config/setting_spec.rb +++ b/spec/defines/server/config/setting_spec.rb @@ -9,15 +9,6 @@ { osfamily: 'RedHat', operatingsystemmajrelease: '6', - concat_basedir: '/tmp', - puppetversion: '3.7.0', - sshdsakey: 'AAAAB3NzaC1kc3MAAACBAODCvvUUnv2imW4cfuLBWVJTLMzds89MtCUXGl3+7Gza5QYJmp7GSkKBnV8+7XI+JAmjv0RKQM1RAn7mV5UplRTtg3CYbeNkX4IakZmNJLTdL4vUyIehhaxBobpOtBaJfFewCJE1plIaWvoWfEDrShcjIUbUbJMfR8YWweIIqp9bAAAAFQCr8+KRfOUZbS9Dz1t15A/Owl61VQAAAIBr/7hNPCvjzAl5+rde6jUR5k20pxAE+z2wsaZxlhrs6ZhhplyCKIXKq4rCx4QuFVPh/c+WJRPO56iH/rSh5Y5cpT1LUk66wNJcOBPprjvDEHfQUHUmfYXzNJ2BHkRL78lfzQr52YyowV6dHfktv0VsIctm13KcMr2KQygZtV6EqgAAAIEAjNC4PRdzYpWfxu268CJDpexlhBwIkIx+ovEibtYeke55qAQcF9UWko4A1c8Wf4nLLxlQYCf501Bt5lb6GmZd0xfpg27fPIfzZPL8o+E756D3ZcNXUaLj4HPRKnwNcdAtChL2jESH3fm8PyNwBI7tV6IOjmOGpyQKtmJq3IyNgms=', - sshrsakey: 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDzA57hAMwz6pywCgxNUcloWeNMvBo2PDPxK2RCegst+9tYaf4S3shnM9a1j2PGBoeRXTuUG6mYB32fJm6/37UUUJA4lT+8CZ3hNnDZU9aitpukkKon7RIlvY1PWO8wT4A5mEa0hfdQg6Um8KZZUs+jrB+8zMJO/X0fmleY54r/JKrP3hNcpaJpTUVQEvMmKacW7nYez/PvWKAz8d02uAOXuauGKhZ9K2AHYKlQFqJ4S1jLiduoGFWxFQ2vQybbN/O0PQQU7EZlHIjSzwoowZLzlxCKCZcKnoDsbGCtYHArbjxTb+m5e7nvsamz7TXLoY90Srmc5QGMxrLUlSvkYsm5', - sshecdsakey: 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDrof0LPA0hGuwODy+5uTynV7rgPJspvZo2TzykBu5mSANJvdL1z5/JS3x16/c/cDjx2lfEkRoVDnon4/NjKEM=', - sshed25519key: '', - id: 'root', - is_pe: false, - path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games' } end diff --git a/spec/defines/server/host_key_spec.rb b/spec/defines/server/host_key_spec.rb index 108c7019..1364c547 100644 --- a/spec/defines/server/host_key_spec.rb +++ b/spec/defines/server/host_key_spec.rb @@ -11,15 +11,6 @@ { osfamily: 'RedHat', operatingsystemmajrelease: '6', - concat_basedir: '/tmp', - puppetversion: '3.7.0', - sshdsakey: 'AAAAB3NzaC1kc3MAAACBAODCvvUUnv2imW4cfuLBWVJTLMzds89MtCUXGl3+7Gza5QYJmp7GSkKBnV8+7XI+JAmjv0RKQM1RAn7mV5UplRTtg3CYbeNkX4IakZmNJLTdL4vUyIehhaxBobpOtBaJfFewCJE1plIaWvoWfEDrShcjIUbUbJMfR8YWweIIqp9bAAAAFQCr8+KRfOUZbS9Dz1t15A/Owl61VQAAAIBr/7hNPCvjzAl5+rde6jUR5k20pxAE+z2wsaZxlhrs6ZhhplyCKIXKq4rCx4QuFVPh/c+WJRPO56iH/rSh5Y5cpT1LUk66wNJcOBPprjvDEHfQUHUmfYXzNJ2BHkRL78lfzQr52YyowV6dHfktv0VsIctm13KcMr2KQygZtV6EqgAAAIEAjNC4PRdzYpWfxu268CJDpexlhBwIkIx+ovEibtYeke55qAQcF9UWko4A1c8Wf4nLLxlQYCf501Bt5lb6GmZd0xfpg27fPIfzZPL8o+E756D3ZcNXUaLj4HPRKnwNcdAtChL2jESH3fm8PyNwBI7tV6IOjmOGpyQKtmJq3IyNgms=', - sshrsakey: 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDzA57hAMwz6pywCgxNUcloWeNMvBo2PDPxK2RCegst+9tYaf4S3shnM9a1j2PGBoeRXTuUG6mYB32fJm6/37UUUJA4lT+8CZ3hNnDZU9aitpukkKon7RIlvY1PWO8wT4A5mEa0hfdQg6Um8KZZUs+jrB+8zMJO/X0fmleY54r/JKrP3hNcpaJpTUVQEvMmKacW7nYez/PvWKAz8d02uAOXuauGKhZ9K2AHYKlQFqJ4S1jLiduoGFWxFQ2vQybbN/O0PQQU7EZlHIjSzwoowZLzlxCKCZcKnoDsbGCtYHArbjxTb+m5e7nvsamz7TXLoY90Srmc5QGMxrLUlSvkYsm5', - sshecdsakey: 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDrof0LPA0hGuwODy+5uTynV7rgPJspvZo2TzykBu5mSANJvdL1z5/JS3x16/c/cDjx2lfEkRoVDnon4/NjKEM=', - sshed25519key: '', - id: 'root', - is_pe: false, - path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games' } end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 6e1d9681..627d3520 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,2 +1,32 @@ require 'rspec-puppet' require 'puppetlabs_spec_helper/module_spec_helper' + +RSpec.configure do |c| + c.default_facts = { + 'networking' => { + 'interfaces' => { + 'eth0' => { + 'bindings' => [ + { + 'address' => '192.168.1.1', + }, + ], + 'bindings6' => [ + { + 'address' => '::1', + }, + ], + }, + }, + }, + concat_basedir: '/tmp', + puppetversion: '3.7.0', + sshdsakey: 'AAAAB3NzaC1kc3MAAACBAODCvvUUnv2imW4cfuLBWVJTLMzds89MtCUXGl3+7Gza5QYJmp7GSkKBnV8+7XI+JAmjv0RKQM1RAn7mV5UplRTtg3CYbeNkX4IakZmNJLTdL4vUyIehhaxBobpOtBaJfFewCJE1plIaWvoWfEDrShcjIUbUbJMfR8YWweIIqp9bAAAAFQCr8+KRfOUZbS9Dz1t15A/Owl61VQAAAIBr/7hNPCvjzAl5+rde6jUR5k20pxAE+z2wsaZxlhrs6ZhhplyCKIXKq4rCx4QuFVPh/c+WJRPO56iH/rSh5Y5cpT1LUk66wNJcOBPprjvDEHfQUHUmfYXzNJ2BHkRL78lfzQr52YyowV6dHfktv0VsIctm13KcMr2KQygZtV6EqgAAAIEAjNC4PRdzYpWfxu268CJDpexlhBwIkIx+ovEibtYeke55qAQcF9UWko4A1c8Wf4nLLxlQYCf501Bt5lb6GmZd0xfpg27fPIfzZPL8o+E756D3ZcNXUaLj4HPRKnwNcdAtChL2jESH3fm8PyNwBI7tV6IOjmOGpyQKtmJq3IyNgms=', + sshrsakey: 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDzA57hAMwz6pywCgxNUcloWeNMvBo2PDPxK2RCegst+9tYaf4S3shnM9a1j2PGBoeRXTuUG6mYB32fJm6/37UUUJA4lT+8CZ3hNnDZU9aitpukkKon7RIlvY1PWO8wT4A5mEa0hfdQg6Um8KZZUs+jrB+8zMJO/X0fmleY54r/JKrP3hNcpaJpTUVQEvMmKacW7nYez/PvWKAz8d02uAOXuauGKhZ9K2AHYKlQFqJ4S1jLiduoGFWxFQ2vQybbN/O0PQQU7EZlHIjSzwoowZLzlxCKCZcKnoDsbGCtYHArbjxTb+m5e7nvsamz7TXLoY90Srmc5QGMxrLUlSvkYsm5', + sshecdsakey: 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDrof0LPA0hGuwODy+5uTynV7rgPJspvZo2TzykBu5mSANJvdL1z5/JS3x16/c/cDjx2lfEkRoVDnon4/NjKEM=', + sshed25519key: '', + id: 'root', + is_pe: false, + path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games' + } +end From 47205497ad5f37c00b94a88a3c06a9ef85b6c56e Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 17 Dec 2018 15:08:59 +0100 Subject: [PATCH 106/246] rubocop: autofix --- manifests/hostkeys.pp | 3 ++- spec/classes/client_spec.rb | 4 ++-- spec/classes/init_spec.rb | 6 +++--- spec/classes/server_spec.rb | 6 +++--- spec/defines/client/config/user_spec.rb | 2 +- spec/defines/server/config/setting_spec.rb | 2 +- spec/defines/server/host_key_spec.rb | 2 +- spec/spec_helper.rb | 16 ++++++++-------- 8 files changed, 21 insertions(+), 20 deletions(-) diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index 3bd2e90c..f7662814 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -8,7 +8,8 @@ ) { if $export_ipaddresses == true { - $ipaddresses_real = delete(ipaddresses($exclude_interfaces), $exclude_ipaddresses) + $ipaddresses = ipaddresses($exclude_interfaces) + $ipaddresses_real = $ipaddresses - $exclude_ipaddresses $host_aliases = unique(flatten([ $::fqdn, $::hostname, $extra_aliases, $ipaddresses_real ])) } else { $host_aliases = unique(flatten([ $::fqdn, $::hostname, $extra_aliases])) diff --git a/spec/classes/client_spec.rb b/spec/classes/client_spec.rb index 6852e489..6dd14339 100644 --- a/spec/classes/client_spec.rb +++ b/spec/classes/client_spec.rb @@ -4,7 +4,7 @@ context 'when on Debian with no other parameters' do let :facts do { - osfamily: 'Debian', + osfamily: 'Debian' } end @@ -15,7 +15,7 @@ context 'when on Debian with custom ensure' do let :facts do { - osfamily: 'Debian', + osfamily: 'Debian' } end let :params do diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 4f2b46be..e2a36b5a 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -4,7 +4,7 @@ context 'when on Debian with no other parameters' do let :facts do { - osfamily: 'Debian', + osfamily: 'Debian' } end @@ -25,7 +25,7 @@ context 'when on Debian with the validate_sshd_file setting' do let :facts do { - osfamily: 'Debian', + osfamily: 'Debian' } end let :params do @@ -44,7 +44,7 @@ end standard_facts = { - osfamily: 'Debian', + osfamily: 'Debian' } context 'When on Debian without resource purging' do diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index 0e3c59cb..09cae7b6 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -20,7 +20,7 @@ let :facts do { osfamily: 'RedHat', - operatingsystemmajrelease: '6', + operatingsystemmajrelease: '6' } end @@ -64,7 +64,7 @@ ['Debian'].each do |osfamily| let :facts do { - osfamily: osfamily, + osfamily: osfamily } end @@ -102,7 +102,7 @@ { osfamily: 'Archlinux', lsbdistdescription: 'Arch Linux', - lsbdistid: 'Arch', + lsbdistid: 'Arch' } end diff --git a/spec/defines/client/config/user_spec.rb b/spec/defines/client/config/user_spec.rb index ad49d69e..47a2f8ec 100644 --- a/spec/defines/client/config/user_spec.rb +++ b/spec/defines/client/config/user_spec.rb @@ -18,7 +18,7 @@ let :facts do { osfamily: 'RedHat', - operatingsystemmajrelease: '6', + operatingsystemmajrelease: '6' } end diff --git a/spec/defines/server/config/setting_spec.rb b/spec/defines/server/config/setting_spec.rb index 8b4d1674..4d95a29c 100644 --- a/spec/defines/server/config/setting_spec.rb +++ b/spec/defines/server/config/setting_spec.rb @@ -8,7 +8,7 @@ let :facts do { osfamily: 'RedHat', - operatingsystemmajrelease: '6', + operatingsystemmajrelease: '6' } end diff --git a/spec/defines/server/host_key_spec.rb b/spec/defines/server/host_key_spec.rb index 1364c547..26a20e0f 100644 --- a/spec/defines/server/host_key_spec.rb +++ b/spec/defines/server/host_key_spec.rb @@ -10,7 +10,7 @@ let :facts do { osfamily: 'RedHat', - operatingsystemmajrelease: '6', + operatingsystemmajrelease: '6' } end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 627d3520..fef3ee93 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -8,16 +8,16 @@ 'eth0' => { 'bindings' => [ { - 'address' => '192.168.1.1', - }, - ], + 'address' => '192.168.1.1' + } + ], 'bindings6' => [ { - 'address' => '::1', - }, - ], - }, - }, + 'address' => '::1' + } + ] + } + } }, concat_basedir: '/tmp', puppetversion: '3.7.0', From 0f466866ddcef135493b3b04c605b00ddc52edc3 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 17 Dec 2018 17:00:18 +0100 Subject: [PATCH 107/246] enable lint/hashsyntax cop --- .rubocop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.rubocop.yml b/.rubocop.yml index fd9fe749..f6353134 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -38,7 +38,7 @@ Lint/LiteralInInterpolation: Enabled: true Style/HashSyntax: - Enabled: false + Enabled: true Style/RedundantReturn: Enabled: true From 77f41a6b8d714583761c61e1d1ab9d02698a769e Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 31 Dec 2018 17:01:36 +0100 Subject: [PATCH 108/246] drop ruby 2.1/2.2 support during travis tests --- .travis.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index 742b81c8..7df8998e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -14,9 +14,7 @@ script: matrix: fast_finish: true include: - - rvm: 2.1 - env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=test - - rvm: 2.2 + - rvm: 2.3.1 env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=test - rvm: 2.3.1 env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=rubocop From 00f9843f7c8d516c3e4581105ee6a520ca92b06d Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 31 Dec 2018 17:01:47 +0100 Subject: [PATCH 109/246] new release: v5.0.0 --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 4da6c82d..1a54420e 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "4.0.0", + "version": "5.0.0", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "description": "Manage SSH client and server via puppet", From 57dc6e1fd7b96eac92f18973300959168a062655 Mon Sep 17 00:00:00 2001 From: Martin Merfort Date: Thu, 3 Jan 2019 11:13:56 +0100 Subject: [PATCH 110/246] Test module with Puppet 6.1 * Add Puppet 6.1 with Ruby 2.5.3 to .travis.yaml * Install sshkeys_core if using Puppet >= 6 --- .fixtures.yml | 5 ++++- .travis.yml | 4 ++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.fixtures.yml b/.fixtures.yml index d76bdb8d..70675ce3 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,4 +1,7 @@ fixtures: repositories: stdlib: "https://github.com/puppetlabs/puppetlabs-stdlib" - concat: "https://github.com/puppetlabs/puppetlabs-concat" \ No newline at end of file + concat: "https://github.com/puppetlabs/puppetlabs-concat" + sshkeys_core: + repo: "https://github.com/puppetlabs/puppetlabs-sshkeys_core" + puppet_version: ">= 6.0.0" diff --git a/.travis.yml b/.travis.yml index 7df8998e..a9722d4b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -24,6 +24,10 @@ matrix: env: PUPPET_VERSION="~> 5.0" STRICT_VARIABLES="yes" CHECK=test - rvm: 2.3.1 env: PUPPET_VERSION="~> 5.0" STRICT_VARIABLES="yes" CHECK=rubocop + - rvm: 2.5.3 + env: PUPPET_VERSION="~> 6.1" STRICT_VARIABLES="yes" CHECK=test + - rvm: 2.5.3 + env: PUPPET_VERSION="~> 6.1" STRICT_VARIABLES="yes" CHECK=rubocop notifications: email: false deploy: From 9188910b01f8a77606672f4383d56dda7cd4b82b Mon Sep 17 00:00:00 2001 From: Robert Brooks Date: Wed, 27 Feb 2019 21:07:41 -0800 Subject: [PATCH 111/246] don't fail at deep_merge if hiera data not available --- manifests/client.pp | 2 +- manifests/init.pp | 8 ++++---- manifests/server.pp | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index a554eb86..5c7c2bd7 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -7,7 +7,7 @@ ) inherits ssh::params { # Merge hashes from multiple layer of hierarchy in hiera - $hiera_options = lookup("${module_name}::client::options", Optional[Hash], 'deep', undef) + $hiera_options = lookup("${module_name}::client::options", Optional[Hash], 'deep', {}) $fin_options = deep_merge($hiera_options, $options) diff --git a/manifests/init.pp b/manifests/init.pp index 923b28c7..4f3130f0 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -15,10 +15,10 @@ ) inherits ssh::params { # Merge hashes from multiple layer of hierarchy in hiera - $hiera_server_options = lookup("${module_name}::server_options", Optional[Hash], 'deep', undef) - $hiera_server_match_block = lookup("${module_name}::server_match_block", Optional[Hash], 'deep', undef) - $hiera_client_options = lookup("${module_name}::client_options", Optional[Hash], 'deep', undef) - $hiera_users_client_options = lookup("${module_name}::users_client_options", Optional[Hash], 'deep', undef) + $hiera_server_options = lookup("${module_name}::server_options", Optional[Hash], 'deep', {}) + $hiera_server_match_block = lookup("${module_name}::server_match_block", Optional[Hash], 'deep', {}) + $hiera_client_options = lookup("${module_name}::client_options", Optional[Hash], 'deep', {}) + $hiera_users_client_options = lookup("${module_name}::users_client_options", Optional[Hash], 'deep', {}) $fin_server_options = deep_merge($hiera_server_options, $server_options) $fin_server_match_block = deep_merge($hiera_server_match_block, $server_match_block) diff --git a/manifests/server.pp b/manifests/server.pp index e7f65a5a..ed229a54 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -10,8 +10,8 @@ ) inherits ssh::params { # Merge hashes from multiple layer of hierarchy in hiera - $hiera_options = lookup("${module_name}::server::options", Optional[Hash], 'deep', undef) - $hiera_match_block = lookup("${module_name}::server::match_block", Optional[Hash], 'deep', undef) + $hiera_options = lookup("${module_name}::server::options", Optional[Hash], 'deep', {}) + $hiera_match_block = lookup("${module_name}::server::match_block", Optional[Hash], 'deep', {}) $fin_options = deep_merge($hiera_options, $options) $fin_match_block = deep_merge($hiera_match_block, $match_block) From 2022e7dbb7e00d0f786532485bee659e44c51911 Mon Sep 17 00:00:00 2001 From: Patrick Emery Date: Mon, 18 Mar 2019 20:24:59 -0400 Subject: [PATCH 112/246] Fix typo in match_block example in README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 81376e4a..897cd8ee 100644 --- a/README.md +++ b/README.md @@ -84,7 +84,7 @@ ssh::server_options: UsePAM: 'yes' X11Forwarding: 'yes' -ssh::server_match_block: +ssh::server::match_block: filetransfer: type: group options: From 61dc3ccb311f944247e21e01dbf7e8299f8008ed Mon Sep 17 00:00:00 2001 From: Alexander Fisher Date: Thu, 30 May 2019 16:41:14 +0100 Subject: [PATCH 113/246] Allow `puppetlabs` `stdlib` and `concat` 6.x --- metadata.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/metadata.json b/metadata.json index 1a54420e..6475f3b5 100644 --- a/metadata.json +++ b/metadata.json @@ -10,11 +10,11 @@ "dependencies": [ { "name": "puppetlabs/stdlib", - "version_requirement": ">= 4.24.0 < 6.0.0" + "version_requirement": ">= 4.24.0 < 7.0.0" }, { "name": "puppetlabs/concat", - "version_requirement": ">= 2.2.0 < 6.0.0" + "version_requirement": ">= 2.2.0 < 7.0.0" } ], "operatingsystem_support": [ From 2211483367541e25719668e968c4db1aaf6ba66b Mon Sep 17 00:00:00 2001 From: Alexander Fisher Date: Wed, 20 Mar 2019 17:38:38 +0000 Subject: [PATCH 114/246] Convert `ipaddresses` to 4x API namespaced function The modern API ruby functions don't have any environment isolation issues, can be namespaced, perform automatic type checking etc. Fixes #270 See http://puppet-on-the-edge.blogspot.com/2015/01/the-puppet-4x-function-api.html and https://github.com/puppetlabs/puppet-specifications/blob/0286d30dc903f36c36879cef6f09a9226c8096fc/language/func-api.md --- lib/puppet/functions/ssh/ipaddresses.rb | 40 ++++++++++ lib/puppet/parser/functions/ipaddresses.rb | 41 ---------- manifests/hostkeys.pp | 2 +- metadata.json | 2 +- spec/fixtures/.gitignore | 3 +- spec/fixtures/mock-interface-fact.json | 89 ++++++++++++++++++++++ spec/functions/ssh/ipaddresses_spec.rb | 30 ++++++++ 7 files changed, 163 insertions(+), 44 deletions(-) create mode 100644 lib/puppet/functions/ssh/ipaddresses.rb delete mode 100644 lib/puppet/parser/functions/ipaddresses.rb create mode 100644 spec/fixtures/mock-interface-fact.json create mode 100644 spec/functions/ssh/ipaddresses_spec.rb diff --git a/lib/puppet/functions/ssh/ipaddresses.rb b/lib/puppet/functions/ssh/ipaddresses.rb new file mode 100644 index 00000000..466647a3 --- /dev/null +++ b/lib/puppet/functions/ssh/ipaddresses.rb @@ -0,0 +1,40 @@ +# @summary Returns ip addresses of network interfaces (except lo) found by facter. +# @api private +# +# Returns all ip addresses of network interfaces (except lo) found by facter. +# Special network interfaces (e.g. docker0) can be excluded by an exclude list. +Puppet::Functions.create_function(:'ssh::ipaddresses') do + dispatch :ipaddresses do + # @param excluded_interfaces An array of interface names to be excluded. + # @return The IP addresses found. + optional_param 'Array[String[1]]', :excluded_interfaces + return_type 'Array[Stdlib::IP::Address]' + end + + def ipaddresses(excluded_interfaces = []) + facts = closure_scope['facts'] + + # always exclude loopback interface + excluded_interfaces += ['lo'] + + result = [] + facts['networking']['interfaces'].each do |iface, data| + # skip excluded interfaces + next if excluded_interfaces.include?(iface) + + %w[bindings bindings6].each do |binding_type| + next unless data.key?(binding_type) + data[binding_type].each do |binding| + next unless binding.key?('address') + result << binding['address'] + end + end + end + + # Throw away any v6 link-local addresses + fe8064 = IPAddr.new('fe80::/64') + result.delete_if { |ip| fe8064.include? IPAddr.new(ip) } + + result.uniq + end +end diff --git a/lib/puppet/parser/functions/ipaddresses.rb b/lib/puppet/parser/functions/ipaddresses.rb deleted file mode 100644 index 432871d8..00000000 --- a/lib/puppet/parser/functions/ipaddresses.rb +++ /dev/null @@ -1,41 +0,0 @@ -module Puppet::Parser::Functions - newfunction(:ipaddresses, type: :rvalue, doc: <<-EOS - Returns all ip addresses of network interfaces (except lo) found by facter. - Special network interfaces (e.g. docker0) can be excluded by an exclude list as - first argument for this function. -EOS - ) do |args| - networking = lookupvar('networking') - - # always exclude loopback interface - interfaces_exclude = ['lo'] - if args.size == 1 - unless args[0].is_a?(Array) - raise(Puppet::ParseError, 'ipaddresses(): Requires first argument to be an Array') - end - interfaces_exclude << args[0] - end - - return false unless networking.include?('interfaces') - - result = [] - networking['interfaces'].each do |iface, data| - # skip excluded interfaces - next if interfaces_exclude.include?(iface) - - %w[bindings bindings6].each do |binding_type| - next unless data.key?(binding_type) - data[binding_type].each do |binding| - next unless binding.key?('address') - result << binding['address'] - end - end - end - - # Throw away any v6 link-local addresses - fe8064 = IPAddr.new('fe80::/64') - result.delete_if { |ip| fe8064.include? IPAddr.new(ip) } - - return result.uniq - end -end diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index f7662814..5271681e 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -8,7 +8,7 @@ ) { if $export_ipaddresses == true { - $ipaddresses = ipaddresses($exclude_interfaces) + $ipaddresses = ssh::ipaddresses($exclude_interfaces) $ipaddresses_real = $ipaddresses - $exclude_ipaddresses $host_aliases = unique(flatten([ $::fqdn, $::hostname, $extra_aliases, $ipaddresses_real ])) } else { diff --git a/metadata.json b/metadata.json index 6475f3b5..0c8331c5 100644 --- a/metadata.json +++ b/metadata.json @@ -10,7 +10,7 @@ "dependencies": [ { "name": "puppetlabs/stdlib", - "version_requirement": ">= 4.24.0 < 7.0.0" + "version_requirement": ">= 4.25.0 < 7.0.0" }, { "name": "puppetlabs/concat", diff --git a/spec/fixtures/.gitignore b/spec/fixtures/.gitignore index 0616a13e..81820739 100644 --- a/spec/fixtures/.gitignore +++ b/spec/fixtures/.gitignore @@ -1,5 +1,6 @@ # Ignore everything in this directory * -# Except this file +# Except these files !.gitignore !site.pp +!mock-interface-fact.json diff --git a/spec/fixtures/mock-interface-fact.json b/spec/fixtures/mock-interface-fact.json new file mode 100644 index 00000000..b6ed4ccc --- /dev/null +++ b/spec/fixtures/mock-interface-fact.json @@ -0,0 +1,89 @@ +{ + "networking": { + "interfaces": { + "docker0": { + "bindings": [ + { + "address": "172.17.0.1", + "netmask": "255.255.0.0", + "network": "172.17.0.0" + } + ], + "bindings6": [ + { + "address": "fe80::42:2fff:fea3:f2b7", + "netmask": "ffff:ffff:ffff:ffff::", + "network": "fe80::" + } + ], + "ip": "172.17.0.1", + "ip6": "fe80::42:2fff:fea3:f2b7", + "mac": "02:42:2f:a3:f2:b7", + "mtu": 1500, + "netmask": "255.255.0.0", + "netmask6": "ffff:ffff:ffff:ffff::", + "network": "172.17.0.0", + "network6": "fe80::" + }, + "eno1": { + "bindings": [ + { + "address": "10.13.42.61", + "netmask": "255.255.255.0", + "network": "10.13.42.0" + }, + { + "address": "10.0.0.110", + "netmask": "255.255.255.255", + "network": "10.0.0.110" + }, + { + "address": "10.0.0.104" + }, + { + "address": "10.0.0.109" + } + ], + "bindings6": [ + { + "address": "fe80::6544:473a:6ea4:c385", + "netmask": "ffff:ffff:ffff:ffff::", + "network": "fe80::" + } + ], + "dhcp": "10.13.42.1", + "ip": "10.13.42.61", + "ip6": "fe80::6544:473a:6ea4:c385", + "mac": "08:00:20:97:23:d1", + "mtu": 1500, + "netmask": "255.255.255.0", + "netmask6": "ffff:ffff:ffff:ffff::", + "network": "10.13.42.0", + "network6": "fe80::" + }, + "lo": { + "bindings": [ + { + "address": "127.0.0.1", + "netmask": "255.0.0.0", + "network": "127.0.0.0" + } + ], + "bindings6": [ + { + "address": "::1", + "netmask": "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", + "network": "::1" + } + ], + "ip": "127.0.0.1", + "ip6": "::1", + "mtu": 65536, + "netmask": "255.0.0.0", + "netmask6": "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", + "network": "127.0.0.0", + "network6": "::1" + } + } + } +} diff --git a/spec/functions/ssh/ipaddresses_spec.rb b/spec/functions/ssh/ipaddresses_spec.rb new file mode 100644 index 00000000..b9689864 --- /dev/null +++ b/spec/functions/ssh/ipaddresses_spec.rb @@ -0,0 +1,30 @@ +require 'spec_helper' + +describe 'ssh::ipaddresses', type: :puppet_function do + it 'exists' do + is_expected.not_to be_nil + end + + context 'with dummy fact data' do + let(:facts) do + JSON.parse File.read(File.join(File.dirname(__FILE__), '../../fixtures/mock-interface-fact.json')) + end + + describe 'without parameters' do + it 'returns all IPs other than localhost' do + is_expected.to run.and_return(['172.17.0.1', '10.13.42.61', '10.0.0.110', '10.0.0.104', '10.0.0.109']) + end + end + + describe 'with excluded interface' do + it 'doesn\'t return the IPs of excluded interface' do + is_expected.to run.with_params(['docker0']).and_return(['10.13.42.61', '10.0.0.110', '10.0.0.104', '10.0.0.109']) + end + end + describe 'with excluded interfaces' do + it 'doesn\'t return the IPs of those interfaces' do + is_expected.to run.with_params(%w[docker0 eno1]).and_return([]) + end + end + end +end From 8bd13a85b0a03dbc7e63e6f58dc849f2a4f7de26 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 11 Jun 2019 11:22:16 +0200 Subject: [PATCH 115/246] add CHANGELOG, fixes #222 --- CHANGELOG.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 00000000..90aea16c --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,16 @@ +# Changelog +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [6.0.0] +### Fixed +- don't fail at deep_merge if hiera data not available, see #272 +- Fix typo in match_block example in README, see #271, #273 +### Added +- Add CHANGELOG (starting with this release), see #222 +- Test module with Puppet 6.1, see #269 +### Changed +- Convert `ipaddresses` to 4x API namespaced function, see #270 +- Allow `puppetlabs` `stdlib` and `concat` 6.x, see #280 From 52750b9396fe706541ae9a849a0adfd1cbdba442 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 11 Jun 2019 11:22:56 +0200 Subject: [PATCH 116/246] new release: v6.0.0 --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 0c8331c5..ff36e67e 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "5.0.0", + "version": "6.0.0", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "description": "Manage SSH client and server via puppet", From 86914f4aebcaed97c512cde7acafc52771ef83c4 Mon Sep 17 00:00:00 2001 From: Karl Vollmer Date: Thu, 13 Jun 2019 13:37:42 -0300 Subject: [PATCH 117/246] Don't populate options which have a value of `undef` (Tranlates to `nil` in Ruby ERBs) --- templates/options.erb | 8 ++++---- templates/sshd_config.erb | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/templates/options.erb b/templates/options.erb index 83b86cfa..e7f30be1 100644 --- a/templates/options.erb +++ b/templates/options.erb @@ -18,22 +18,22 @@ <%- value = v[key] -%> <%- if value.is_a?(Array) -%> <%- value.each do |a| -%> - <%- if a != '' -%> + <%- if a != '' && a != nil -%> <%= key %> <%= bool2str(a) %> <%- end -%> <%- end -%> - <%- elsif value != '' -%> + <%- elsif value != '' && value != nil -%> <%= key %> <%= bool2str(value) %> <%- end -%> <%- end -%> <%- else -%> <%- if v.is_a?(Array) -%> <%- v.each do |a| -%> -<%- if a != '' -%> +<%- if a != '' && a != nil -%> <%= k %> <%= bool2str(a) %> <%- end -%> <%- end -%> -<%- elsif v != :undef and v != '' -%> +<%- elsif v != nil and v != '' -%> <%= k %> <%= bool2str(v) %> <%- end -%> <%- end -%> diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index bd594a67..374441fa 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -42,22 +42,22 @@ ListenAddress <%= listen %> <%- value = v[key] -%> <%- if value.is_a?(Array) -%> <%- value.each do |a| -%> - <%- if a != '' -%> + <%- if a != '' && a != nil -%> <%= key %> <%= bool2str(a) %> <%- end -%> <%- end -%> - <%- elsif value != '' -%> + <%- elsif value != '' && value != nil -%> <%= key %> <%= bool2str(value) %> <%- end -%> <%- end -%> <%- else -%> <%- if v.is_a?(Array) -%> <%- v.each do |a| -%> -<%- if a != '' -%> +<%- if a != '' && a != nil -%> <%= k %> <%= bool2str(a) %> <%- end -%> <%- end -%> -<%- elsif v != :undef and v != '' -%> +<%- elsif v != nil and v != '' -%> <%= k %> <%= bool2str(v) %> <%- end -%> <%- end -%> From 47ab219c67251f6590557352e99c3151df8e34ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Magnus=20Horsg=C3=A5rd=20Watn?= Date: Tue, 2 Jul 2019 17:52:13 +0200 Subject: [PATCH 118/246] Do not show diff when installing a ssh private host key --- manifests/server/host_key.pp | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/manifests/server/host_key.pp b/manifests/server/host_key.pp index 0f01accf..45a4d857 100644 --- a/manifests/server/host_key.pp +++ b/manifests/server/host_key.pp @@ -96,14 +96,15 @@ } file {"${name}_priv": - ensure => $ensure, - owner => 0, - group => $::ssh::params::host_priv_key_group, - mode => '0600', - path => "${::ssh::params::sshd_dir}/${name}", - source => $manage_priv_key_source, - content => $manage_priv_key_content, - notify => Class['ssh::server::service'], + ensure => $ensure, + owner => 0, + group => $::ssh::params::host_priv_key_group, + mode => '0600', + path => "${::ssh::params::sshd_dir}/${name}", + source => $manage_priv_key_source, + content => $manage_priv_key_content, + show_diff => false, + notify => Class['ssh::server::service'], } } else { file {"${name}_pub": @@ -116,12 +117,13 @@ } file {"${name}_priv": - ensure => $ensure, - owner => 0, - group => $::ssh::params::host_priv_key_group, - mode => '0600', - path => "${::ssh::params::sshd_dir}/${name}", - notify => Class['ssh::server::service'], + ensure => $ensure, + owner => 0, + group => $::ssh::params::host_priv_key_group, + mode => '0600', + path => "${::ssh::params::sshd_dir}/${name}", + show_diff => false, + notify => Class['ssh::server::service'], } } From 59b04f1edc1a3f767c726d9f2999edd52c8024bd Mon Sep 17 00:00:00 2001 From: Steffy Fort Date: Tue, 9 Jul 2019 11:09:12 +0200 Subject: [PATCH 119/246] add docmentation to pdk style, indent code --- manifests/client.pp | 22 +++++++ manifests/hostkeys.pp | 6 +- manifests/init.pp | 100 ++++++++++++++++++++++++++++- manifests/knownhosts.pp | 9 +++ manifests/params.pp | 5 ++ manifests/server.pp | 34 ++++++++++ manifests/server/config.pp | 5 ++ manifests/server/config/setting.pp | 5 ++ manifests/server/install.pp | 10 ++- manifests/server/match_block.pp | 11 +++- manifests/server/options.pp | 10 ++- manifests/server/service.pp | 9 +++ 12 files changed, 221 insertions(+), 5 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index 5c7c2bd7..f7009990 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,3 +1,25 @@ +# @summary +# This class add ssh client management +# +# @example Puppet usage +# class { 'ssh::client': +# ensure => present, +# storeconfigs_enabled => true, +# use_augeas => false, +# } +# +# @param ensure +# Ensurable param to ssh client +# +# @param storeconfigs_enabled +# Collected host keys from servers will be written to known_hosts unless storeconfigs_enabled is false +# +# @param options +# Dynamic hash for openssh client options +# +# @param options_absent +# Remove options (with augeas style) +# class ssh::client( String $ensure = present, Boolean $storeconfigs_enabled = true, diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index 5271681e..ba35c0cf 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -1,4 +1,8 @@ -# Class ssh::hostkeys +# @summary +# This class manged hostkeys +# +# @api private +# class ssh::hostkeys( Boolean $export_ipaddresses = true, Optional[String] $storeconfigs_group = undef, diff --git a/manifests/init.pp b/manifests/init.pp index 4f3130f0..392dddf2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,4 +1,102 @@ -# Main file for puppet-ssh +# @summary +# This class managed ssh, client and server +# +# @example Puppet usage +# class { 'ssh': +# storeconfigs_enabled => false, +# server_options => { +# 'Match User www-data' => { +# 'ChrootDirectory' => '%h', +# 'ForceCommand' => 'internal-sftp', +# 'PasswordAuthentication' => 'yes', +# 'AllowTcpForwarding' => 'no', +# 'X11Forwarding' => 'no', +# }, +# 'Port' => [22, 2222, 2288], +# }, +# client_options => { +# 'Host *.amazonaws.com' => { +# 'User' => 'ec2-user', +# }, +# }, +# users_client_options => { +# 'bob' => { +# options => { +# 'Host *.alice.fr' => { +# 'User' => 'alice', +# }, +# }, +# }, +# }, +# } +# +# @example hiera usage +# ssh::storeconfigs_enabled: true +# +# ssh::server_options: +# Protocol: '2' +# ListenAddress: +# - '127.0.0.0' +# - '%{::hostname}' +# PasswordAuthentication: 'yes' +# SyslogFacility: 'AUTHPRIV' +# UsePAM: 'yes' +# X11Forwarding: 'yes' +# +# ssh::server::match_block: +# filetransfer: +# type: group +# options: +# ChrootDirectory: /home/sftp +# ForceCommand: internal-sftp +# +# ssh::client_options: +# 'Host *': +# SendEnv: 'LANG LC_*' +# ForwardX11Trusted: 'yes' +# ServerAliveInterval: '10' +# +# ssh::users_client_options: +# 'bob': +# 'options': +# 'Host *.alice.fr': +# 'User': 'alice' +# 'PasswordAuthentication': 'no' +# +# +# @param server_options +# Add dynamic options for ssh server config +# +# @param server_match_block +# Add match block for ssh server config +# +# @param client_options +# Add dynamic options for ssh client config +# +# @param users_client_options +# Add users options for ssh client config +# +# @param version +# Define package version (pacakge ressource) +# +# @param storeconfigs_enabled +# Default value for storeconfigs_enabled (client and server) +# +# @param validate_sshd_file +# Default value for validate_sshd_file (server) +# +# @param use_augeas +# Default value to use augeas (client and server) +# +# @param server_options_absent +# List of options to remove for server config (augeas only) +# +# @param client_options_absent +# List of options to remove for client config (augeas only) +# +# @param use_issue_net +# Use issue_net header +# class ssh ( Hash $server_options = {}, Hash $server_match_block = {}, diff --git a/manifests/knownhosts.pp b/manifests/knownhosts.pp index 19c92131..cd7cf583 100644 --- a/manifests/knownhosts.pp +++ b/manifests/knownhosts.pp @@ -1,3 +1,12 @@ +# @summary +# This class manged knownhosts if collect is enable +# +# @param collect_enabled +# Enabled collect +# +# @param storeconfigs_group +# Define the hostkeys group storage +# class ssh::knownhosts( Boolean $collect_enabled = $ssh::params::collect_enabled, Optional[String] $storeconfigs_group = undef, diff --git a/manifests/params.pp b/manifests/params.pp index b8d00d98..d6af325e 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,3 +1,8 @@ +# @summary +# Params class +# +# @api private +# class ssh::params { case $::osfamily { 'Debian': { diff --git a/manifests/server.pp b/manifests/server.pp index ed229a54..ba9f502a 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,3 +1,37 @@ +# @summary +# This class managed ssh server +# +# @example Puppet usage +# class { 'ssh::server': +# ensure => present, +# storeconfigs_enabled => true, +# use_issue_net => false, +# } +# +# @param ensure +# Ensurable param to ssh server +# +# @param storeconfigs_enabled +# Host keys will be collected and distributed unless storeconfigs_enabled is false. +# +# @param options +# Dynamic hash for openssh server option +# +# @param validate_sshd_file +# Add sshd file validate cmd +# +# @param use_augeas +# Use augeas for configuration (default concat) +# +# @param options_absent +# Remove options (with augeas style) +# +# @param match_block +# Add sshd match_block (with concat) +# +# @use_issue_net +# Add issue_net banner +# class ssh::server( String $ensure = present, Boolean $storeconfigs_enabled = true, diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 1236c2e4..97dc5ce3 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -1,3 +1,8 @@ +# @summary +# Managed ssh server configuration +# +# @api private +# class ssh::server::config { $options = $::ssh::server::merged_options diff --git a/manifests/server/config/setting.pp b/manifests/server/config/setting.pp index 9232bb60..a8f0327e 100644 --- a/manifests/server/config/setting.pp +++ b/manifests/server/config/setting.pp @@ -1,3 +1,8 @@ +# @summary +# Internal define to managed ssh server param +# +# @api private +# define ssh::server::config::setting ( $key, $value, diff --git a/manifests/server/install.pp b/manifests/server/install.pp index 973825d9..5ab1e83c 100644 --- a/manifests/server/install.pp +++ b/manifests/server/install.pp @@ -1,6 +1,14 @@ +# @summary +# Install ssh server package +# +# @api private +# class ssh::server::install { include ::ssh::params if $ssh::params::server_package_name { - ensure_packages([$ssh::params::server_package_name], {'ensure' => $ssh::server::ensure}) + ensure_packages( + [$ssh::params::server_package_name], + { 'ensure' => $ssh::server::ensure } + ) } } diff --git a/manifests/server/match_block.pp b/manifests/server/match_block.pp index c65d2f94..ba484b7f 100644 --- a/manifests/server/match_block.pp +++ b/manifests/server/match_block.pp @@ -1,4 +1,13 @@ -define ssh::server::match_block ($options, $type = 'user', $order = 50,) { +# @summary +# Add match_block to ssh server config (concat needed) +# +# @api private +# +define ssh::server::match_block ( + Hash $options = {}, + String $type = 'user', + Integer $order = 50, +) { if $::ssh::server::use_augeas { fail('ssh::server::match_block() define not supported with use_augeas = true') } else { diff --git a/manifests/server/options.pp b/manifests/server/options.pp index 6246bd90..de451eb5 100644 --- a/manifests/server/options.pp +++ b/manifests/server/options.pp @@ -1,4 +1,12 @@ -define ssh::server::options ($options, $order = 50) { +# @summary +# Managed ssh server options +# +# @api private +# +define ssh::server::options ( + Hash $options = {}, + Integer $order = 50 +) { concat::fragment { "options ${name}": target => $ssh::params::sshd_config, content => template("${module_name}/options.erb"), diff --git a/manifests/server/service.pp b/manifests/server/service.pp index bc278e0e..fd104e6f 100644 --- a/manifests/server/service.pp +++ b/manifests/server/service.pp @@ -1,3 +1,12 @@ +# @summary +# This class managed ssh server service +# +# @param ensure +# Ensurable service param +# +# @param enable +# Define if service is enable +# class ssh::server::service ( String $ensure = 'running', Boolean $enable = true From 82ea9a3e0fa3538efcf5d5e5ca00d3e31eec6725 Mon Sep 17 00:00:00 2001 From: Pascal Jufer Date: Mon, 4 Nov 2019 11:29:24 +0100 Subject: [PATCH 120/246] Sort hostkeys This avoids reloads of hostkeys after Puppet runs. --- manifests/hostkeys.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index 5271681e..b9c67ab3 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -10,9 +10,9 @@ if $export_ipaddresses == true { $ipaddresses = ssh::ipaddresses($exclude_interfaces) $ipaddresses_real = $ipaddresses - $exclude_ipaddresses - $host_aliases = unique(flatten([ $::fqdn, $::hostname, $extra_aliases, $ipaddresses_real ])) + $host_aliases = sort(unique(flatten([ $::fqdn, $::hostname, $extra_aliases, $ipaddresses_real ]))) } else { - $host_aliases = unique(flatten([ $::fqdn, $::hostname, $extra_aliases])) + $host_aliases = sort(unique(flatten([ $::fqdn, $::hostname, $extra_aliases]))) } if $storeconfigs_group { From 237dfc30b10ace53f897860c486f8f9e12d63c96 Mon Sep 17 00:00:00 2001 From: Martijn de Gouw Date: Sun, 3 Nov 2019 16:56:42 +0100 Subject: [PATCH 121/246] Use gid 0 instead of group name for $host_priv_key_group FreeBSD 12 does not have a group root, the name of gid 0 is 'wheel'. --- manifests/params.pp | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index b8d00d98..096c9d1e 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -9,7 +9,7 @@ $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'ssh' $sftp_server_path = '/usr/lib/openssh/sftp-server' - $host_priv_key_group = 'root' + $host_priv_key_group = 0 } 'RedHat': { $server_package_name = 'openssh-server' @@ -23,7 +23,7 @@ if versioncmp($::operatingsystemmajrelease, '7') >= 0 { $host_priv_key_group = 'ssh_keys' } else { - $host_priv_key_group = 'root' + $host_priv_key_group = 0 } } 'FreeBSD', 'DragonFly': { @@ -35,7 +35,7 @@ $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd' $sftp_server_path = '/usr/libexec/sftp-server' - $host_priv_key_group = 'root' + $host_priv_key_group = 0 } 'OpenBSD': { $server_package_name = undef @@ -46,7 +46,7 @@ $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd' $sftp_server_path = '/usr/libexec/sftp-server' - $host_priv_key_group = 'root' + $host_priv_key_group = 0 } 'Darwin': { $server_package_name = undef @@ -57,7 +57,7 @@ $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'com.openssh.sshd' $sftp_server_path = '/usr/libexec/sftp-server' - $host_priv_key_group = 'root' + $host_priv_key_group = 0 } 'ArchLinux': { $server_package_name = 'openssh' @@ -68,7 +68,7 @@ $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd.service' $sftp_server_path = '/usr/lib/ssh/sftp-server' - $host_priv_key_group = 'root' + $host_priv_key_group = 0 } 'Suse': { $server_package_name = 'openssh' @@ -77,7 +77,7 @@ $sshd_config = '/etc/ssh/sshd_config' $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' - $host_priv_key_group = 'root' + $host_priv_key_group = 0 case $::operatingsystem { 'SLES': { $service_name = 'sshd' @@ -115,7 +115,7 @@ $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'svc:/network/ssh:default' $sftp_server_path = 'internal-sftp' - $host_priv_key_group = 'root' + $host_priv_key_group = 0 } default: { $sshd_dir = '/etc/ssh' @@ -124,7 +124,7 @@ $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'svc:/network/ssh:default' $sftp_server_path = 'internal-sftp' - $host_priv_key_group = 'root' + $host_priv_key_group = 0 case versioncmp($::kernelrelease, '5.10') { 1: { # Solaris 11 and later @@ -155,7 +155,7 @@ $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd' $sftp_server_path = '/usr/lib/misc/sftp-server' - $host_priv_key_group = 'root' + $host_priv_key_group = 0 } 'Amazon': { $server_package_name = 'openssh-server' @@ -166,7 +166,7 @@ $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd' $sftp_server_path = '/usr/libexec/openssh/sftp-server' - $host_priv_key_group = 'root' + $host_priv_key_group = 0 } default: { fail("Unsupported platform: ${::osfamily}/${::operatingsystem}") From 1091ff11885ed53f4542b5fd228f816231f942e9 Mon Sep 17 00:00:00 2001 From: Martijn de Gouw Date: Wed, 6 Nov 2019 19:30:27 +0100 Subject: [PATCH 122/246] Update tests for changing from groupname to gid --- spec/defines/server/host_key_spec.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/spec/defines/server/host_key_spec.rb b/spec/defines/server/host_key_spec.rb index 26a20e0f..a009c537 100644 --- a/spec/defines/server/host_key_spec.rb +++ b/spec/defines/server/host_key_spec.rb @@ -35,7 +35,7 @@ with_content('bcd'). with_ensure('present'). with_owner(0). - with_group('root'). + with_group(0). with_mode('0600'). with_path('/etc/ssh/something') is_expected.to contain_file('something_cert'). @@ -68,7 +68,7 @@ with_content('bcd'). with_ensure('present'). with_owner(0). - with_group('root'). + with_group(0). with_mode('0600'). with_path('/etc/ssh/something') is_expected.not_to contain_file('something_cert') @@ -99,7 +99,7 @@ with_source('b'). with_ensure('present'). with_owner(0). - with_group('root'). + with_group(0). with_mode('0600'). with_path('/etc/ssh/something') is_expected.not_to contain_file('something_cert') From 8f944eb48947d3386818c7daff9aa1d7ad839e12 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 8 Feb 2020 16:25:07 +0100 Subject: [PATCH 123/246] add parameter to switch to trusted facts, fixes #226 --- manifests/hostkeys.pp | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index a65a8dca..2017bfe0 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -9,14 +9,23 @@ Array $extra_aliases = [], Array $exclude_interfaces = [], Array $exclude_ipaddresses = [], + Boolean $use_trusted_facts = false, ) { + if $use_trusted_facts { + $fqdn_real = $trusted['certname'] + $hostname_real = $trusted['hostname'] + } else { + $fqdn_real = $facts['networking']['fqdn'] + $hostname_real = $facts['networking']['hostname'] + } + if $export_ipaddresses == true { $ipaddresses = ssh::ipaddresses($exclude_interfaces) $ipaddresses_real = $ipaddresses - $exclude_ipaddresses - $host_aliases = sort(unique(flatten([ $::fqdn, $::hostname, $extra_aliases, $ipaddresses_real ]))) + $host_aliases = sort(unique(flatten([ $fqdn_real, $hostname_real, $extra_aliases, $ipaddresses_real ]))) } else { - $host_aliases = sort(unique(flatten([ $::fqdn, $::hostname, $extra_aliases]))) + $host_aliases = sort(unique(flatten([ $fqdn_real, $hostname_real, $extra_aliases ]))) } if $storeconfigs_group { @@ -33,14 +42,14 @@ } if $key_type in $facts['ssh'] { - @@sshkey { "${::fqdn}_${key_type}": + @@sshkey { "${fqdn_real}_${key_type}": ensure => present, host_aliases => $host_aliases, type => $key_type_real, key => $facts['ssh'][$key_type]['key'], } } else { - @@sshkey { "${::fqdn}_${key_type}": + @@sshkey { "${fqdn_real}_${key_type}": ensure => absent, type => $key_type_real, } From ff2ea72e06d8728f09020490ec3839f9d02ef49a Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 8 Feb 2020 16:43:15 +0100 Subject: [PATCH 124/246] add exclusion of interfaces and ipaddress to README, fixes #267 --- README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/README.md b/README.md index 897cd8ee..9dbe0a33 100644 --- a/README.md +++ b/README.md @@ -348,6 +348,19 @@ class YOURCUSTOMCLASS { } ``` +## Excluding network interfaces or ipaddresses + +Use hiera to exclude interfaces or ipaddresses from hostkey inclusion + +```yaml +ssh::hostkeys::exclude_interfaces: + - eth0 + - eth3 +ssh::hostkeys::exclude_ipaddresses: + - 192.168.0.1 + - 10.42.24.242 +``` + ## Facts This module provides facts detailing the available SSH client and server From 38f47fb2f03b44298157506ce78d527367b6b32e Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 8 Feb 2020 16:53:33 +0100 Subject: [PATCH 125/246] replace class absolute names --- manifests/client.pp | 8 ++++---- manifests/client/config.pp | 4 ++-- manifests/client/config/user.pp | 6 +++--- manifests/init.pp | 10 +++++----- manifests/server.pp | 14 +++++++------- manifests/server/config.pp | 6 +++--- manifests/server/host_key.pp | 18 +++++++++--------- manifests/server/match_block.pp | 2 +- 8 files changed, 34 insertions(+), 34 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index f7009990..080b90f2 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -34,13 +34,13 @@ $fin_options = deep_merge($hiera_options, $options) if $use_augeas { - $merged_options = sshclient_options_to_augeas_ssh_config($fin_options, $options_absent, { 'target' => $::ssh::params::ssh_config }) + $merged_options = sshclient_options_to_augeas_ssh_config($fin_options, $options_absent, { 'target' => $ssh::params::ssh_config }) } else { $merged_options = merge($fin_options, delete($ssh::params::ssh_default_options, keys($fin_options))) } - include ::ssh::client::install - include ::ssh::client::config + include ssh::client::install + include ssh::client::config anchor { 'ssh::client::start': } anchor { 'ssh::client::end': } @@ -48,7 +48,7 @@ # Provide option to *not* use storeconfigs/puppetdb, which means not managing # hostkeys and knownhosts if ($storeconfigs_enabled) { - include ::ssh::knownhosts + include ssh::knownhosts Anchor['ssh::client::start'] -> Class['ssh::client::install'] diff --git a/manifests/client/config.pp b/manifests/client/config.pp index 5aa1f0fb..68885c8c 100644 --- a/manifests/client/config.pp +++ b/manifests/client/config.pp @@ -1,7 +1,7 @@ class ssh::client::config { - $options = $::ssh::client::merged_options - $use_augeas = $::ssh::client::use_augeas + $options = $ssh::client::merged_options + $use_augeas = $ssh::client::use_augeas if $use_augeas { create_resources('ssh_config', $options) diff --git a/manifests/client/config/user.pp b/manifests/client/config/user.pp index 04c1f814..35ec937a 100644 --- a/manifests/client/config/user.pp +++ b/manifests/client/config/user.pp @@ -11,7 +11,7 @@ Hash $options = {}, String[1] $user = $name, ) { - include ::ssh::params + include ssh::params # If a specific target file was specified, # it must have higher priority than any @@ -33,7 +33,7 @@ file { $user_ssh_dir: ensure => directory, owner => $user, - mode => $::ssh::params::user_ssh_directory_default_mode, + mode => $ssh::params::user_ssh_directory_default_mode, before => Concat_file[$_target], } } @@ -44,7 +44,7 @@ concat_file { $_target: ensure => $ensure, owner => $user, - mode => $::ssh::params::user_ssh_config_default_mode, + mode => $ssh::params::user_ssh_config_default_mode, tag => $name, } } diff --git a/manifests/init.pp b/manifests/init.pp index 392dddf2..5d41585d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -104,7 +104,7 @@ Hash $users_client_options = {}, String $version = 'present', Boolean $storeconfigs_enabled = true, - Boolean $validate_sshd_file = $::ssh::params::validate_sshd_file, + Boolean $validate_sshd_file = $ssh::params::validate_sshd_file, Boolean $use_augeas = false, Array $server_options_absent = [], Array $client_options_absent = [], @@ -123,7 +123,7 @@ $fin_client_options = deep_merge($hiera_client_options, $client_options) $fin_users_client_options = deep_merge($hiera_users_client_options, $users_client_options) - class { '::ssh::server': + class { 'ssh::server': ensure => $version, storeconfigs_enabled => $storeconfigs_enabled, options => $fin_server_options, @@ -133,7 +133,7 @@ use_issue_net => $use_issue_net, } - class { '::ssh::client': + class { 'ssh::client': ensure => $version, storeconfigs_enabled => $storeconfigs_enabled, options => $fin_client_options, @@ -148,6 +148,6 @@ } } - create_resources('::ssh::client::config::user', $fin_users_client_options) - create_resources('::ssh::server::match_block', $fin_server_match_block) + create_resources('ssh::client::config::user', $fin_users_client_options) + create_resources('ssh::server::match_block', $fin_server_match_block) } diff --git a/manifests/server.pp b/manifests/server.pp index ba9f502a..7b3d89b9 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -51,14 +51,14 @@ $fin_match_block = deep_merge($hiera_match_block, $match_block) if $use_augeas { - $merged_options = sshserver_options_to_augeas_sshd_config($fin_options, $options_absent, { 'target' => $::ssh::params::sshd_config }) + $merged_options = sshserver_options_to_augeas_sshd_config($fin_options, $options_absent, { 'target' => $ssh::params::sshd_config }) } else { $merged_options = deep_merge($ssh::params::sshd_default_options, $fin_options) } - include ::ssh::server::install - include ::ssh::server::config - include ::ssh::server::service + include ssh::server::install + include ssh::server::config + include ssh::server::service anchor { 'ssh::server::start': } anchor { 'ssh::server::end': } @@ -66,8 +66,8 @@ # Provide option to *not* use storeconfigs/puppetdb, which means not managing # hostkeys and knownhosts if ($storeconfigs_enabled) { - include ::ssh::hostkeys - include ::ssh::knownhosts + include ssh::hostkeys + include ssh::knownhosts Anchor['ssh::server::start'] -> Class['ssh::server::install'] @@ -84,5 +84,5 @@ -> Anchor['ssh::server::end'] } - create_resources('::ssh::server::match_block', $fin_match_block) + create_resources('ssh::server::match_block', $fin_match_block) } diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 97dc5ce3..e539a958 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -4,7 +4,7 @@ # @api private # class ssh::server::config { - $options = $::ssh::server::merged_options + $options = $ssh::server::merged_options case $ssh::server::validate_sshd_file { true: { @@ -15,7 +15,7 @@ } } - if $::ssh::server::use_augeas { + if $ssh::server::use_augeas { create_resources('sshd_config', $options) } else { concat { $ssh::params::sshd_config: @@ -34,7 +34,7 @@ } } - if $::ssh::server::use_issue_net { + if $ssh::server::use_issue_net { file { $ssh::params::issue_net: ensure => present, owner => 0, diff --git a/manifests/server/host_key.pp b/manifests/server/host_key.pp index 45a4d857..65e87685 100644 --- a/manifests/server/host_key.pp +++ b/manifests/server/host_key.pp @@ -47,7 +47,7 @@ ) { # Ensure the ssh::server class is included in the manifest - include ::ssh::server + include ssh::server if $public_key_source == '' and $public_key_content == '' and $ensure == 'present' { fail('You must provide either public_key_source or public_key_content parameter') @@ -89,7 +89,7 @@ owner => 0, group => 0, mode => '0644', - path => "${::ssh::params::sshd_dir}/${name}.pub", + path => "${ssh::params::sshd_dir}/${name}.pub", source => $manage_pub_key_source, content => $manage_pub_key_content, notify => Class['ssh::server::service'], @@ -98,9 +98,9 @@ file {"${name}_priv": ensure => $ensure, owner => 0, - group => $::ssh::params::host_priv_key_group, + group => $ssh::params::host_priv_key_group, mode => '0600', - path => "${::ssh::params::sshd_dir}/${name}", + path => "${ssh::params::sshd_dir}/${name}", source => $manage_priv_key_source, content => $manage_priv_key_content, show_diff => false, @@ -112,16 +112,16 @@ owner => 0, group => 0, mode => '0644', - path => "${::ssh::params::sshd_dir}/${name}.pub", + path => "${ssh::params::sshd_dir}/${name}.pub", notify => Class['ssh::server::service'], } file {"${name}_priv": ensure => $ensure, owner => 0, - group => $::ssh::params::host_priv_key_group, + group => $ssh::params::host_priv_key_group, mode => '0600', - path => "${::ssh::params::sshd_dir}/${name}", + path => "${ssh::params::sshd_dir}/${name}", show_diff => false, notify => Class['ssh::server::service'], } @@ -134,7 +134,7 @@ owner => 0, group => 0, mode => '0644', - path => "${::ssh::params::sshd_dir}/${name}-cert.pub", + path => "${ssh::params::sshd_dir}/${name}-cert.pub", source => $manage_cert_source, content => $manage_cert_content, notify => Class['ssh::server::service'], @@ -145,7 +145,7 @@ owner => 0, group => 0, mode => '0644', - path => "${::ssh::params::sshd_dir}/${name}-cert.pub", + path => "${ssh::params::sshd_dir}/${name}-cert.pub", notify => Class['ssh::server::service'], } } diff --git a/manifests/server/match_block.pp b/manifests/server/match_block.pp index ba484b7f..2ba34f57 100644 --- a/manifests/server/match_block.pp +++ b/manifests/server/match_block.pp @@ -8,7 +8,7 @@ String $type = 'user', Integer $order = 50, ) { - if $::ssh::server::use_augeas { + if $ssh::server::use_augeas { fail('ssh::server::match_block() define not supported with use_augeas = true') } else { concat::fragment { "match_block ${name}": From 1800d570cea8c910aaae86289292b2869523e5e2 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 8 Feb 2020 17:05:42 +0100 Subject: [PATCH 126/246] fix remaining absolute class name includes --- manifests/server/config/setting.pp | 2 +- manifests/server/install.pp | 2 +- manifests/server/service.pp | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/manifests/server/config/setting.pp b/manifests/server/config/setting.pp index a8f0327e..912806bf 100644 --- a/manifests/server/config/setting.pp +++ b/manifests/server/config/setting.pp @@ -8,7 +8,7 @@ $value, $order = '10' ) { - include ::ssh::params + include ssh::params if is_bool($value) { $real_value = $value ? { diff --git a/manifests/server/install.pp b/manifests/server/install.pp index 5ab1e83c..70b22aa4 100644 --- a/manifests/server/install.pp +++ b/manifests/server/install.pp @@ -4,7 +4,7 @@ # @api private # class ssh::server::install { - include ::ssh::params + include ssh::params if $ssh::params::server_package_name { ensure_packages( [$ssh::params::server_package_name], diff --git a/manifests/server/service.pp b/manifests/server/service.pp index fd104e6f..ee80a6c8 100644 --- a/manifests/server/service.pp +++ b/manifests/server/service.pp @@ -11,8 +11,8 @@ String $ensure = 'running', Boolean $enable = true ){ - include ::ssh::params - include ::ssh::server + include ssh::params + include ssh::server service { $ssh::params::service_name: ensure => $ssh::server::service::ensure, From 29a9ae72b9d2cbd45a970e790cf09fc02380a7bc Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 8 Feb 2020 17:15:06 +0100 Subject: [PATCH 127/246] new release: v6.1.0 --- CHANGELOG.md | 11 +++++++++++ metadata.json | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 90aea16c..20794ab6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [6.1.0] +### Fixed +- Fix absolute class name includes +- Use gid 0 instead of group name for $host_priv_key_group (#289) +- Sort hostkeys (#288) +- Do not show diff when installing a ssh private host key (#283) +- Don't populate options which have a value of `undef` (#281) +### Added +- document exclusion of interfaces and ipaddresses within hostkeys.pp (#267) +- add parameter to use trusted facts to hostkeys.pp (#226) + ## [6.0.0] ### Fixed - don't fail at deep_merge if hiera data not available, see #272 diff --git a/metadata.json b/metadata.json index ff36e67e..b19c18c4 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "6.0.0", + "version": "6.1.0", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "description": "Manage SSH client and server via puppet", From 46748b888ce20bb90a235c8d6a15812696fb320d Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 11 May 2020 09:56:03 +0200 Subject: [PATCH 128/246] build a simple structured networking fact for older facter versions, refs #293 --- lib/puppet/functions/ssh/ipaddresses.rb | 18 +++++++++++++- spec/functions/ssh/ipaddresses_spec.rb | 31 ++++++++++++++++++++++++- 2 files changed, 47 insertions(+), 2 deletions(-) diff --git a/lib/puppet/functions/ssh/ipaddresses.rb b/lib/puppet/functions/ssh/ipaddresses.rb index 466647a3..82ea2487 100644 --- a/lib/puppet/functions/ssh/ipaddresses.rb +++ b/lib/puppet/functions/ssh/ipaddresses.rb @@ -17,8 +17,24 @@ def ipaddresses(excluded_interfaces = []) # always exclude loopback interface excluded_interfaces += ['lo'] + if !facts['networking'].nil? && !facts['networking'].empty? + interfaces = facts['networking']['interfaces'] + else + interfaces = {} + facts['interfaces'].split(',').each do |iface| + next if facts["ipaddress_#{iface}"].nil? && facts["ipaddress6_#{iface}"].nil? + interfaces[iface] = {} + if !facts["ipaddress_#{iface}"].nil? && !facts["ipaddress_#{iface}"].empty? + interfaces[iface]['bindings'] = [{ 'address' => facts["ipaddress_#{iface}"] }] + end + if !facts["ipaddress6_#{iface}"].nil? && !facts["ipaddress6_#{iface}"].empty? + interfaces[iface]['bindings6'] = [{ 'address' => facts["ipaddress6_#{iface}"] }] + end + end + end + result = [] - facts['networking']['interfaces'].each do |iface, data| + interfaces.each do |iface, data| # skip excluded interfaces next if excluded_interfaces.include?(iface) diff --git a/spec/functions/ssh/ipaddresses_spec.rb b/spec/functions/ssh/ipaddresses_spec.rb index b9689864..e0361188 100644 --- a/spec/functions/ssh/ipaddresses_spec.rb +++ b/spec/functions/ssh/ipaddresses_spec.rb @@ -5,7 +5,7 @@ is_expected.not_to be_nil end - context 'with dummy fact data' do + context 'with dummy structured fact data' do let(:facts) do JSON.parse File.read(File.join(File.dirname(__FILE__), '../../fixtures/mock-interface-fact.json')) end @@ -27,4 +27,33 @@ end end end + + context 'with dummy legacy fact data' do + let(:facts) do + { + networking: {}, + interfaces: 'lo,docker0,eno1', + ipaddress_lo: '127.0.0.1', + ipaddress_eno1: '10.13.42.61', + ipaddress_docker0: '172.17.0.1' + } + end + + describe 'without parameters' do + it 'returns all IPs other than localhost' do + is_expected.to run.and_return(['172.17.0.1', '10.13.42.61']) + end + end + + describe 'with excluded interface' do + it 'doesn\'t return the IPs of excluded interface' do + is_expected.to run.with_params(['docker0']).and_return(['10.13.42.61']) + end + end + describe 'with excluded interfaces' do + it 'doesn\'t return the IPs of those interfaces' do + is_expected.to run.with_params(%w[docker0 eno1]).and_return([]) + end + end + end end From 9a65ac2915e87f445c2d575d01b5e00da12313d3 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 11 May 2020 15:26:36 +0200 Subject: [PATCH 129/246] use legacy facts for hostname and fqdn, refs #293 --- manifests/hostkeys.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index 2017bfe0..553a3558 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -16,8 +16,9 @@ $fqdn_real = $trusted['certname'] $hostname_real = $trusted['hostname'] } else { - $fqdn_real = $facts['networking']['fqdn'] - $hostname_real = $facts['networking']['hostname'] + # stick to legacy facts for older versions of facter + $fqdn_real = $facts['fqdn'] + $hostname_real = $facts['hostname'] } if $export_ipaddresses == true { From 4e5a503558391adca15c71bb901f2c9800fe193a Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 12 May 2020 11:49:47 +0200 Subject: [PATCH 130/246] new release: v6.2.0 --- CHANGELOG.md | 4 ++++ metadata.json | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 20794ab6..42ea331d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [6.2.0] +### Changed +- support older facter versions (#293) + ## [6.1.0] ### Fixed - Fix absolute class name includes diff --git a/metadata.json b/metadata.json index b19c18c4..98746226 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "6.1.0", + "version": "6.2.0", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "description": "Manage SSH client and server via puppet", From 496901997afc2b654c0ba1f0bcafd8090d55d066 Mon Sep 17 00:00:00 2001 From: Kenyon Ralph Date: Sun, 17 May 2020 17:12:15 -0700 Subject: [PATCH 131/246] README.md: delete duplicate word --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9dbe0a33..5b482ab9 100644 --- a/README.md +++ b/README.md @@ -252,7 +252,7 @@ class { 'ssh::server': ## Overwriting default options Default options will be merged with options passed in. -If an option is set both as default and via options parameter, the latter will +If an option is set both as default and via options parameter, the latter will win. The following example will disable X11Forwarding, which is enabled by default: From 7b07f63455abd16c377daecd235aa1341d9a19b0 Mon Sep 17 00:00:00 2001 From: Kenyon Ralph Date: Sun, 17 May 2020 17:33:46 -0700 Subject: [PATCH 132/246] knownhosts.pp: fix doc wording --- manifests/knownhosts.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/knownhosts.pp b/manifests/knownhosts.pp index cd7cf583..405a182c 100644 --- a/manifests/knownhosts.pp +++ b/manifests/knownhosts.pp @@ -1,8 +1,8 @@ # @summary -# This class manged knownhosts if collect is enable +# This class manages knownhosts if collection is enabled. # # @param collect_enabled -# Enabled collect +# Enable collection # # @param storeconfigs_group # Define the hostkeys group storage From 9184586352d5d525a0a5d957b2826496f9ab4992 Mon Sep 17 00:00:00 2001 From: Kenyon Ralph Date: Sun, 17 May 2020 17:36:53 -0700 Subject: [PATCH 133/246] init.pp: fix summary grammar --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 5d41585d..1f833e32 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,5 +1,5 @@ # @summary -# This class managed ssh, client and server +# This class manages ssh client and server # # @example Puppet usage # class { 'ssh': From cc15ded20923f5b482ef4b4c312ae52e9457f484 Mon Sep 17 00:00:00 2001 From: Kenyon Ralph Date: Sun, 17 May 2020 17:38:59 -0700 Subject: [PATCH 134/246] hostkeys.pp: fix summary spelling --- manifests/hostkeys.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index 553a3558..697b9f6f 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -1,5 +1,5 @@ # @summary -# This class manged hostkeys +# This class manages hostkeys # # @api private # From b9ce09035f93b18db3ffcad1bc6811a1cdea76e7 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Tue, 15 Jun 2021 16:34:39 +0200 Subject: [PATCH 135/246] stdlib/concat: Allow 7.x --- metadata.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/metadata.json b/metadata.json index 98746226..cba5d519 100644 --- a/metadata.json +++ b/metadata.json @@ -10,11 +10,11 @@ "dependencies": [ { "name": "puppetlabs/stdlib", - "version_requirement": ">= 4.25.0 < 7.0.0" + "version_requirement": ">= 4.25.0 < 8.0.0" }, { "name": "puppetlabs/concat", - "version_requirement": ">= 2.2.0 < 7.0.0" + "version_requirement": ">= 2.2.0 < 8.0.0" } ], "operatingsystem_support": [ From cefb792a1f7a53322b556b4e63132c9e8b78c949 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Thu, 17 Jun 2021 07:57:30 +0200 Subject: [PATCH 136/246] Update from saz modulesync_config --- .editorconfig | 14 + .github/workflows/ci.yml | 53 ++++ .github/workflows/release.yml | 29 ++ .gitignore | 17 +- .msync.yml | 2 + .overcommit.yml | 64 +++++ .pmtignore | 18 +- .rspec | 1 + .rspec_parallel | 1 + .rubocop.yml | 511 +--------------------------------- .travis.yml | 42 --- .yardopts | 2 + Dockerfile | 21 ++ Gemfile | 68 ++--- Rakefile | 85 +++--- spec/classes/coverage_spec.rb | 4 - spec/spec_helper.rb | 46 ++- 17 files changed, 308 insertions(+), 670 deletions(-) create mode 100644 .editorconfig create mode 100644 .github/workflows/ci.yml create mode 100644 .github/workflows/release.yml create mode 100644 .msync.yml create mode 100644 .overcommit.yml create mode 100644 .rspec_parallel delete mode 100644 .travis.yml create mode 100644 .yardopts create mode 100644 Dockerfile delete mode 100644 spec/classes/coverage_spec.rb diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 00000000..d77700e3 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,14 @@ +# editorconfig.org + +# MANAGED BY MODULESYNC + +root = true + +[*] +charset = utf-8 +end_of_line = lf +indent_size = 2 +tab_width = 2 +indent_style = space +insert_final_newline = true +trim_trailing_whitespace = true diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 00000000..2b1904f0 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,53 @@ +name: CI + +on: + - pull_request + - push + +jobs: + setup_matrix: + name: 'Setup Test Matrix' + runs-on: ubuntu-latest + timeout-minutes: 40 + outputs: + beaker_setfiles: ${{ steps.get-outputs.outputs.beaker_setfiles }} + puppet_major_versions: ${{ steps.get-outputs.outputs.puppet_major_versions }} + puppet_unit_test_matrix: ${{ steps.get-outputs.outputs.puppet_unit_test_matrix }} + env: + BUNDLE_WITHOUT: development:release + steps: + - uses: actions/checkout@v2 + - name: Setup ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: '2.7' + bundler-cache: true + - name: Run rake validate + run: bundle exec rake validate + - name: Run rake rubocop + run: bundle exec rake rubocop + - name: Setup Test Matrix + id: get-outputs + run: bundle exec metadata2gha --use-fqdn --pidfile-workaround false + + unit: + needs: setup_matrix + runs-on: ubuntu-latest + timeout-minutes: 40 + strategy: + fail-fast: false + matrix: + include: ${{fromJson(needs.setup_matrix.outputs.puppet_unit_test_matrix)}} + env: + BUNDLE_WITHOUT: development:system_tests:release + PUPPET_VERSION: "~> ${{ matrix.puppet }}.0" + name: Puppet ${{ matrix.puppet }} (Ruby ${{ matrix.ruby }}) + steps: + - uses: actions/checkout@v2 + - name: Setup ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: ${{ matrix.ruby }} + bundler-cache: true + - name: Run tests + run: bundle exec rake diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..68b85284 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,29 @@ +name: Release + +on: + push: + tags: + - '*' + +env: + BUNDLE_WITHOUT: development:test:system_tests + +jobs: + deploy: + name: 'deploy to forge' + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v2 + - name: Setup Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: '2.7' + bundler-cache: true + - name: Build and Deploy + env: + # Configure secrets here: + # https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets + BLACKSMITH_FORGE_USERNAME: '${{ secrets.PUPPET_FORGE_USERNAME }}' + BLACKSMITH_FORGE_API_KEY: '${{ secrets.PUPPET_FORGE_API_KEY }}' + run: bundle exec rake module:push diff --git a/.gitignore b/.gitignore index 1d548c57..e9b3cf4b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,20 @@ pkg/ -*.swp -.DS_Store Gemfile.lock +Gemfile.local vendor/ .vendor/ +spec/fixtures/manifests/ +spec/fixtures/modules/ +.vagrant/ .bundle/ +.ruby-version +coverage/ +log/ +.idea/ +.dependencies/ +.librarian/ +Puppetfile.lock +*.iml +.*.sw? +.yardoc/ +Guardfile diff --git a/.msync.yml b/.msync.yml new file mode 100644 index 00000000..57ff5038 --- /dev/null +++ b/.msync.yml @@ -0,0 +1,2 @@ +--- +modulesync_config_version: '4.1.0' diff --git a/.overcommit.yml b/.overcommit.yml new file mode 100644 index 00000000..0af0fdc0 --- /dev/null +++ b/.overcommit.yml @@ -0,0 +1,64 @@ +# Managed by https://github.com/voxpupuli/modulesync_configs +# +# Hooks are only enabled if you take action. +# +# To enable the hooks run: +# +# ``` +# bundle exec overcommit --install +# # ensure .overcommit.yml does not harm to you and then +# bundle exec overcommit --sign +# ``` +# +# (it will manage the .git/hooks directory): +# +# Examples howto skip a test for a commit or push: +# +# ``` +# SKIP=RuboCop git commit +# SKIP=PuppetLint git commit +# SKIP=RakeTask git push +# ``` +# +# Don't invoke overcommit at all: +# +# ``` +# OVERCOMMIT_DISABLE=1 git commit +# ``` +# +# Read more about overcommit: https://github.com/brigade/overcommit +# +# To manage this config yourself in your module add +# +# ``` +# .overcommit.yml: +# unmanaged: true +# ``` +# +# to your modules .sync.yml config +--- +PreCommit: + RuboCop: + enabled: true + description: 'Runs rubocop on modified files only' + command: ['bundle', 'exec', 'rubocop'] + PuppetLint: + enabled: true + description: 'Runs puppet-lint on modified files only' + command: ['bundle', 'exec', 'puppet-lint'] + YamlSyntax: + enabled: true + JsonSyntax: + enabled: true + TrailingWhitespace: + enabled: true + +PrePush: + RakeTarget: + enabled: true + description: 'Run rake targets' + targets: + - 'validate' + - 'test' + - 'rubocop' + command: ['bundle', 'exec', 'rake'] diff --git a/.pmtignore b/.pmtignore index fb589575..33a8c65d 100644 --- a/.pmtignore +++ b/.pmtignore @@ -1,11 +1,12 @@ docs/ pkg/ +Gemfile Gemfile.lock Gemfile.local vendor/ .vendor/ -spec/fixtures/manifests/ -spec/fixtures/modules/ +spec/ +Rakefile .vagrant/ .bundle/ .ruby-version @@ -13,8 +14,21 @@ coverage/ log/ .idea/ .dependencies/ +.github/ .librarian/ Puppetfile.lock *.iml +.editorconfig +.fixtures.yml +.gitignore +.msync.yml +.overcommit.yml +.pmtignore +.rspec +.rspec_parallel +.rubocop.yml +.sync.yml .*.sw? .yardoc/ +.yardopts +Dockerfile diff --git a/.rspec b/.rspec index 49d5710b..8c18f1ab 100644 --- a/.rspec +++ b/.rspec @@ -1 +1,2 @@ --format documentation +--color diff --git a/.rspec_parallel b/.rspec_parallel new file mode 100644 index 00000000..e4d136b7 --- /dev/null +++ b/.rspec_parallel @@ -0,0 +1 @@ +--format progress diff --git a/.rubocop.yml b/.rubocop.yml index f6353134..198a3599 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -1,508 +1,3 @@ -require: rubocop-rspec -AllCops: - TargetRubyVersion: 2.2 - Include: - - ./**/*.rb - Exclude: - - files/**/* - - vendor/**/* - - Gemfile - - Rakefile - - .vendor/**/* - - pkg/**/* - - spec/fixtures/**/* - - Gemfile - - Rakefile -Lint/ConditionPosition: - Enabled: true - -Lint/ElseLayout: - Enabled: true - -Lint/UnreachableCode: - Enabled: true - -Lint/UselessComparison: - Enabled: true - -Lint/EnsureReturn: - Enabled: true - -Lint/HandleExceptions: - Enabled: true - -Lint/ShadowingOuterLocalVariable: - Enabled: true - -Lint/LiteralInInterpolation: - Enabled: true - -Style/HashSyntax: - Enabled: true - -Style/RedundantReturn: - Enabled: true - -Lint/AmbiguousOperator: - Enabled: true - -Lint/AssignmentInCondition: - Enabled: true - -Layout/SpaceBeforeComment: - Enabled: true - -Style/AndOr: - Enabled: true - -Style/RedundantSelf: - Enabled: true - -# Method length is not necessarily an indicator of code quality -Metrics/MethodLength: - Enabled: false - -# Module length is not necessarily an indicator of code quality -Metrics/ModuleLength: - Enabled: false - -Style/WhileUntilModifier: - Enabled: true - -Lint/AmbiguousRegexpLiteral: - Enabled: true - -Security/Eval: - Enabled: true - -Lint/BlockAlignment: - Enabled: true - -Lint/DefEndAlignment: - Enabled: true - -Lint/EndAlignment: - Enabled: true - -Lint/DeprecatedClassMethods: - Enabled: true - -Lint/Loop: - Enabled: true - -Lint/ParenthesesAsGroupedExpression: - Enabled: true - -Lint/RescueException: - Enabled: true - -Lint/StringConversionInInterpolation: - Enabled: true - -Lint/UnusedBlockArgument: - Enabled: true - -Lint/UnusedMethodArgument: - Enabled: true - -Lint/UselessAccessModifier: - Enabled: true - -Lint/UselessAssignment: - Enabled: true - -Lint/Void: - Enabled: true - -Layout/AccessModifierIndentation: - Enabled: true - -Style/AccessorMethodName: - Enabled: true - -Style/Alias: - Enabled: true - -Layout/AlignArray: - Enabled: true - -Layout/AlignHash: - Enabled: true - -Layout/AlignParameters: - Enabled: true - -Metrics/BlockNesting: - Enabled: true - -Style/AsciiComments: - Enabled: true - -Style/Attr: - Enabled: true - -Style/BracesAroundHashParameters: - Enabled: true - -Style/CaseEquality: - Enabled: true - -Layout/CaseIndentation: - Enabled: true - -Style/CharacterLiteral: - Enabled: true - -Style/ClassAndModuleCamelCase: - Enabled: true - -Style/ClassAndModuleChildren: - Enabled: false - -Style/ClassCheck: - Enabled: true - -# Class length is not necessarily an indicator of code quality -Metrics/ClassLength: - Enabled: false - -Style/ClassMethods: - Enabled: true - -Style/ClassVars: - Enabled: true - -Style/WhenThen: - Enabled: true - -Style/WordArray: - Enabled: true - -Style/UnneededPercentQ: - Enabled: true - -Layout/Tab: - Enabled: true - -Layout/SpaceBeforeSemicolon: - Enabled: true - -Layout/TrailingBlankLines: - Enabled: true - -Layout/SpaceInsideBlockBraces: - Enabled: true - -Layout/SpaceInsideHashLiteralBraces: - Enabled: true - -Layout/SpaceInsideParens: - Enabled: true - -Layout/LeadingCommentSpace: - Enabled: true - -Layout/SpaceBeforeFirstArg: - Enabled: true - -Layout/SpaceAfterColon: - Enabled: true - -Layout/SpaceAfterComma: - Enabled: true - -Layout/SpaceAfterMethodName: - Enabled: true - -Layout/SpaceAfterNot: - Enabled: true - -Layout/SpaceAfterSemicolon: - Enabled: true - -Layout/SpaceAroundEqualsInParameterDefault: - Enabled: true - -Layout/SpaceAroundOperators: - Enabled: true - -Layout/SpaceBeforeBlockBraces: - Enabled: true - -Layout/SpaceBeforeComma: - Enabled: true - -Style/CollectionMethods: - Enabled: true - -Layout/CommentIndentation: - Enabled: true - -Style/ColonMethodCall: - Enabled: true - -Style/CommentAnnotation: - Enabled: true - -# 'Complexity' is very relative -Metrics/CyclomaticComplexity: - Enabled: false - -Style/ConstantName: - Enabled: true - -Style/Documentation: - Enabled: false - -Style/DefWithParentheses: - Enabled: true - -Style/PreferredHashMethods: - Enabled: true - -Layout/DotPosition: - EnforcedStyle: trailing - -Style/DoubleNegation: - Enabled: true - -Style/EachWithObject: - Enabled: true - -Layout/EmptyLineBetweenDefs: - Enabled: true - -Layout/IndentArray: - Enabled: true - -Layout/IndentHash: - Enabled: true - -Layout/IndentationConsistency: - Enabled: true - -Layout/IndentationWidth: - Enabled: true - -Layout/EmptyLines: - Enabled: true - -Layout/EmptyLinesAroundAccessModifier: - Enabled: true - -Style/EmptyLiteral: - Enabled: true - -# Configuration parameters: AllowURI, URISchemes. -Metrics/LineLength: - Enabled: false - -Style/MethodCallWithoutArgsParentheses: - Enabled: true - -Style/MethodDefParentheses: - Enabled: true - -Style/LineEndConcatenation: - Enabled: true - -Layout/TrailingWhitespace: - Enabled: true - -Style/StringLiterals: - Enabled: true - -Style/TrailingCommaInArguments: - Enabled: true - -Style/GlobalVars: - Enabled: true - -Style/GuardClause: - Enabled: true - -Style/IfUnlessModifier: - Enabled: true - -Style/MultilineIfThen: - Enabled: true - -Style/NegatedIf: - Enabled: true - -Style/NegatedWhile: - Enabled: true - -Style/Next: - Enabled: true - -Style/SingleLineBlockParams: - Enabled: true - -Style/SingleLineMethods: - Enabled: true - -Style/SpecialGlobalVars: - Enabled: true - -Style/TrivialAccessors: - Enabled: true - -Style/UnlessElse: - Enabled: true - -Style/VariableInterpolation: - Enabled: true - -Style/VariableName: - Enabled: true - -Style/WhileUntilDo: - Enabled: true - -Style/EvenOdd: - Enabled: true - -Style/FileName: - Enabled: true - -Style/For: - Enabled: true - -Style/Lambda: - Enabled: true - -Style/MethodName: - Enabled: true - -Style/MultilineTernaryOperator: - Enabled: true - -Style/NestedTernaryOperator: - Enabled: true - -Style/NilComparison: - Enabled: true - -Style/FormatString: - Enabled: true - -Style/MultilineBlockChain: - Enabled: true - -Style/Semicolon: - Enabled: true - -Style/SignalException: - Enabled: true - -Style/NonNilCheck: - Enabled: true - -Style/Not: - Enabled: true - -Style/NumericLiterals: - Enabled: true - -Style/OneLineConditional: - Enabled: true - -Style/ParenthesesAroundCondition: - Enabled: true - -Style/PercentLiteralDelimiters: - Enabled: true - -Style/PerlBackrefs: - Enabled: true - -Style/PredicateName: - Enabled: true - -Style/RedundantException: - Enabled: true - -Style/SelfAssignment: - Enabled: true - -Style/Proc: - Enabled: true - -Style/RaiseArgs: - Enabled: true - -Style/RedundantBegin: - Enabled: true - -Style/RescueModifier: - Enabled: true - -# based on https://github.com/voxpupuli/modulesync_config/issues/168 -Style/RegexpLiteral: - EnforcedStyle: percent_r - Enabled: true - -Lint/UnderscorePrefixedVariableName: - Enabled: true - -Metrics/ParameterLists: - Enabled: false - -Lint/RequireParentheses: - Enabled: true - -Layout/SpaceBeforeFirstArg: - Enabled: true - -Style/ModuleFunction: - Enabled: true - -Lint/Debugger: - Enabled: true - -Style/IfWithSemicolon: - Enabled: true - -Style/Encoding: - Enabled: true - -Style/BlockDelimiters: - Enabled: true - -Style/FormatStringToken: - Enabled: false - -Layout/MultilineBlockLayout: - Enabled: true - -# 'Complexity' is very relative -Metrics/AbcSize: - Enabled: False - -Metrics/BlockLength: - Enabled: False - -# 'Complexity' is very relative -Metrics/PerceivedComplexity: - Enabled: False - -Lint/UselessAssignment: - Enabled: true - -Layout/ClosingParenthesisIndentation: - Enabled: false - -# RSpec - -# We don't use rspec in this way -RSpec/DescribeClass: - Enabled: False - -# Example length is not necessarily an indicator of code quality -RSpec/ExampleLength: - Enabled: False -RSpec/NestedGroups: - Max: 5 -RSpec/MultipleExpectations: - Max: 3 +--- +inherit_gem: + voxpupuli-test: rubocop.yml diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index a9722d4b..00000000 --- a/.travis.yml +++ /dev/null @@ -1,42 +0,0 @@ -sudo: false -language: ruby -cache: bundler -bundler_args: "--without system_tests development" -before_install: -- bundle -v -- rm Gemfile.lock || true -- gem update --system -- gem update bundler -- gem --version -- bundle -v -script: -- bundle exec rake $CHECK -matrix: - fast_finish: true - include: - - rvm: 2.3.1 - env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=test - - rvm: 2.3.1 - env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=rubocop - - rvm: 2.3.1 - env: PUPPET_VERSION="~> 4.0" STRICT_VARIABLES="yes" CHECK=build FORGEDEPLOY=true - - rvm: 2.3.1 - env: PUPPET_VERSION="~> 5.0" STRICT_VARIABLES="yes" CHECK=test - - rvm: 2.3.1 - env: PUPPET_VERSION="~> 5.0" STRICT_VARIABLES="yes" CHECK=rubocop - - rvm: 2.5.3 - env: PUPPET_VERSION="~> 6.1" STRICT_VARIABLES="yes" CHECK=test - - rvm: 2.5.3 - env: PUPPET_VERSION="~> 6.1" STRICT_VARIABLES="yes" CHECK=rubocop -notifications: - email: false -deploy: - provider: puppetforge - user: saz - password: - secure: HOEacsz4i4p5Bagrotnyrst0TPMsbqlpfK8X2j/7ieGRqTJPuLx2yarz2ILHsEUnVPqlSJd4mDXabMZbPcpJlD/tJfNeoU1nVGUH+RX1BcXpakDeZrkraImDLjpnuw3ANtGgUpCFJlQLbYylHBA84RH/mZuroNhW5zi0polPz5M= - on: - tags: true - all_branches: true - rvm: 2.3.1 - condition: "$FORGEDEPLOY = true" diff --git a/.yardopts b/.yardopts new file mode 100644 index 00000000..3687f518 --- /dev/null +++ b/.yardopts @@ -0,0 +1,2 @@ +--markup markdown +--output-dir docs/ diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..a51c6416 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,21 @@ +FROM ruby:2.7 + +WORKDIR /opt/puppet + +# https://github.com/puppetlabs/puppet/blob/06ad255754a38f22fb3a22c7c4f1e2ce453d01cb/lib/puppet/provider/service/runit.rb#L39 +RUN mkdir -p /etc/sv + +ARG PUPPET_VERSION="~> 6.0" +ARG PARALLEL_TEST_PROCESSORS=4 + +# Cache gems +COPY Gemfile . +RUN bundle install --without system_tests development release --path=${BUNDLE_PATH:-vendor/bundle} + +COPY . . + +RUN bundle install +RUN bundle exec rake release_checks + +# Container should not saved +RUN exit 1 diff --git a/Gemfile b/Gemfile index 577f4876..f4855f64 100644 --- a/Gemfile +++ b/Gemfile @@ -1,63 +1,33 @@ -source ENV['GEM_SOURCE'] || 'https://rubygems.org' - -def location_for(place, fake_version = nil) - if place =~ /^(git[:@][^#]*)#(.*)/ - [fake_version, { git: $1, branch: $2, require: false }].compact - elsif place =~ /^file:\/\/(.*)/ - ['>= 0', { path: File.expand_path($1), require: false }] - else - [place, { require: false }] - end -end +source ENV['GEM_SOURCE'] || "https://rubygems.org" group :test do - gem 'puppetlabs_spec_helper', '>= 2.11.0', require: false - gem 'rspec-puppet', require: false - gem 'rspec-puppet-facts', require: false - gem 'rspec-puppet-utils', require: false - gem 'puppet-lint-absolute_classname-check', require: false - gem 'puppet-lint-leading_zero-check', require: false - gem 'puppet-lint-trailing_comma-check', require: false - gem 'puppet-lint-version_comparison-check', require: false - gem 'puppet-lint-classes_and_types_beginning_with_digits-check', require: false - gem 'puppet-lint-unquoted_string-check', require: false - gem 'puppet-lint-variable_contains_upcase', require: false - gem 'metadata-json-lint', require: false - gem 'puppet-blacksmith', require: false - gem 'voxpupuli-release', require: false, git: 'https://github.com/voxpupuli/voxpupuli-release-gem.git' - gem 'puppet-strings', '~> 1.0', require: false - gem 'rubocop', '~> 0.49.1', require: false - gem 'rubocop-rspec', require: false - gem 'rspec-its', require: false + gem 'voxpupuli-test', '~> 2.1', :require => false + gem 'coveralls', :require => false + gem 'simplecov-console', :require => false end group :development do - gem 'travis', require: false - gem 'travis-lint', require: false - gem 'guard-rake', require: false + gem 'guard-rake', :require => false + gem 'overcommit', '>= 0.39.1', :require => false end group :system_tests do - if (beaker_version = ENV['BEAKER_VERSION']) - gem 'beaker', *location_for(beaker_version) - end - if (beaker_rspec_version = ENV['BEAKER_RSPEC_VERSION']) - gem 'beaker-rspec', *location_for(beaker_rspec_version) - else - gem 'beaker-rspec', require: false - end - gem 'beaker-puppet_install_helper', require: false + gem 'puppet_metadata', '~> 0.3.0', :require => false + gem 'voxpupuli-acceptance', :require => false end - - -if (facterversion = ENV['FACTER_GEM_VERSION']) - gem 'facter', facterversion.to_s, require: false, groups: [:test] -else - gem 'facter', require: false, groups: [:test] +group :release do + gem 'github_changelog_generator', '>= 1.16.1', :require => false + gem 'puppet-blacksmith', :require => false + gem 'voxpupuli-release', :require => false + gem 'puppet-strings', '>= 2.2', :require => false end -ENV['PUPPET_VERSION'].nil? ? puppetversion = '~> 4.0' : puppetversion = ENV['PUPPET_VERSION'].to_s -gem 'puppet', puppetversion, require: false, groups: [:test] +gem 'puppetlabs_spec_helper', '~> 2.0', :require => false +gem 'rake', :require => false +gem 'facter', ENV['FACTER_GEM_VERSION'], :require => false, :groups => [:test] + +puppetversion = ENV['PUPPET_VERSION'] || '~> 6.0' +gem 'puppet', puppetversion, :require => false, :groups => [:test] # vim: syntax=ruby diff --git a/Rakefile b/Rakefile index 5c10c3f5..1e8a8980 100644 --- a/Rakefile +++ b/Rakefile @@ -1,42 +1,61 @@ -require 'puppetlabs_spec_helper/rake_tasks' -require 'puppet_blacksmith/rake_tasks' -require 'voxpupuli/release/rake_tasks' +# Attempt to load voxupuli-test (which pulls in puppetlabs_spec_helper), +# otherwise attempt to load it directly. +begin + require 'voxpupuli/test/rake' +rescue LoadError + require 'puppetlabs_spec_helper/rake_tasks' +end -if RUBY_VERSION >= '2.2.0' - require 'rubocop/rake_task' +# load optional tasks for releases +# only available if gem group releases is installed +begin + require 'voxpupuli/release/rake_tasks' +rescue LoadError +end - RuboCop::RakeTask.new(:rubocop) do |task| - # These make the rubocop experience maybe slightly less terrible - task.options = ['-D', '-S', '-E'] +desc "Run main 'test' task and report merged results to coveralls" +task test_with_coveralls: [:test] do + if Dir.exist?(File.expand_path('../lib', __FILE__)) + require 'coveralls/rake/task' + Coveralls::RakeTask.new + Rake::Task['coveralls:push'].invoke + else + puts 'Skipping reporting to coveralls. Module has no lib dir' end end -PuppetLint.configuration.fail_on_warnings = true -PuppetLint.configuration.send('relative') -PuppetLint.configuration.send('disable_140chars') -PuppetLint.configuration.send('disable_class_inherits_from_params_class') -PuppetLint.configuration.send('disable_documentation') -PuppetLint.configuration.send('disable_single_quote_string_with_variables') +desc 'Generate REFERENCE.md' +task :reference, [:debug, :backtrace] do |t, args| + patterns = '' + Rake::Task['strings:generate:reference'].invoke(patterns, args[:debug], args[:backtrace]) +end -exclude_paths = %w( - pkg/**/* - vendor/**/* - .vendor/**/* - spec/**/* -) -PuppetLint.configuration.ignore_paths = exclude_paths -PuppetSyntax.exclude_paths = exclude_paths +begin + require 'github_changelog_generator/task' + require 'puppet_blacksmith' + GitHubChangelogGenerator::RakeTask.new :changelog do |config| + version = (Blacksmith::Modulefile.new).version + config.future_release = "v#{version}" if version =~ /^\d+\.\d+.\d+$/ + config.header = "# Changelog\n\nAll notable changes to this project will be documented in this file.\nEach new release typically also includes the latest modulesync defaults.\nThese should not affect the functionality of the module." + config.exclude_labels = %w{duplicate question invalid wontfix wont-fix modulesync skip-changelog} + config.user = 'saz' + metadata_json = File.join(File.dirname(__FILE__), 'metadata.json') + metadata = JSON.load(File.read(metadata_json)) + config.project = metadata['name'] + end -desc 'Run acceptance tests' -RSpec::Core::RakeTask.new(:acceptance) do |t| - t.pattern = 'spec/acceptance' -end + # Workaround for https://github.com/github-changelog-generator/github-changelog-generator/issues/715 + require 'rbconfig' + if RbConfig::CONFIG['host_os'] =~ /linux/ + task :changelog do + puts 'Fixing line endings...' + changelog_file = File.join(__dir__, 'CHANGELOG.md') + changelog_txt = File.read(changelog_file) + new_contents = changelog_txt.gsub(%r{\r\n}, "\n") + File.open(changelog_file, "w") {|file| file.puts new_contents } + end + end -desc 'Run tests metadata_lint, lint, syntax, spec' -task test: [ - :metadata_lint, - :lint, - :syntax, - :spec, -] +rescue LoadError +end # vim: syntax=ruby diff --git a/spec/classes/coverage_spec.rb b/spec/classes/coverage_spec.rb deleted file mode 100644 index de446548..00000000 --- a/spec/classes/coverage_spec.rb +++ /dev/null @@ -1,4 +0,0 @@ -require 'rspec-puppet' - -at_exit { RSpec::Puppet::Coverage.report! } -# vim: syntax=ruby diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index fef3ee93..d266f6b4 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,32 +1,18 @@ -require 'rspec-puppet' -require 'puppetlabs_spec_helper/module_spec_helper' +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config -RSpec.configure do |c| - c.default_facts = { - 'networking' => { - 'interfaces' => { - 'eth0' => { - 'bindings' => [ - { - 'address' => '192.168.1.1' - } - ], - 'bindings6' => [ - { - 'address' => '::1' - } - ] - } - } - }, - concat_basedir: '/tmp', - puppetversion: '3.7.0', - sshdsakey: 'AAAAB3NzaC1kc3MAAACBAODCvvUUnv2imW4cfuLBWVJTLMzds89MtCUXGl3+7Gza5QYJmp7GSkKBnV8+7XI+JAmjv0RKQM1RAn7mV5UplRTtg3CYbeNkX4IakZmNJLTdL4vUyIehhaxBobpOtBaJfFewCJE1plIaWvoWfEDrShcjIUbUbJMfR8YWweIIqp9bAAAAFQCr8+KRfOUZbS9Dz1t15A/Owl61VQAAAIBr/7hNPCvjzAl5+rde6jUR5k20pxAE+z2wsaZxlhrs6ZhhplyCKIXKq4rCx4QuFVPh/c+WJRPO56iH/rSh5Y5cpT1LUk66wNJcOBPprjvDEHfQUHUmfYXzNJ2BHkRL78lfzQr52YyowV6dHfktv0VsIctm13KcMr2KQygZtV6EqgAAAIEAjNC4PRdzYpWfxu268CJDpexlhBwIkIx+ovEibtYeke55qAQcF9UWko4A1c8Wf4nLLxlQYCf501Bt5lb6GmZd0xfpg27fPIfzZPL8o+E756D3ZcNXUaLj4HPRKnwNcdAtChL2jESH3fm8PyNwBI7tV6IOjmOGpyQKtmJq3IyNgms=', - sshrsakey: 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDzA57hAMwz6pywCgxNUcloWeNMvBo2PDPxK2RCegst+9tYaf4S3shnM9a1j2PGBoeRXTuUG6mYB32fJm6/37UUUJA4lT+8CZ3hNnDZU9aitpukkKon7RIlvY1PWO8wT4A5mEa0hfdQg6Um8KZZUs+jrB+8zMJO/X0fmleY54r/JKrP3hNcpaJpTUVQEvMmKacW7nYez/PvWKAz8d02uAOXuauGKhZ9K2AHYKlQFqJ4S1jLiduoGFWxFQ2vQybbN/O0PQQU7EZlHIjSzwoowZLzlxCKCZcKnoDsbGCtYHArbjxTb+m5e7nvsamz7TXLoY90Srmc5QGMxrLUlSvkYsm5', - sshecdsakey: 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDrof0LPA0hGuwODy+5uTynV7rgPJspvZo2TzykBu5mSANJvdL1z5/JS3x16/c/cDjx2lfEkRoVDnon4/NjKEM=', - sshed25519key: '', - id: 'root', - is_pe: false, - path: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games' - } +# puppetlabs_spec_helper will set up coverage if the env variable is set. +# We want to do this if lib exists and it hasn't been explicitly set. +ENV['COVERAGE'] ||= 'yes' if Dir.exist?(File.expand_path('../../lib', __FILE__)) + +require 'voxpupuli/test/spec_helper' + +if File.exist?(File.join(__dir__, 'default_module_facts.yml')) + facts = YAML.safe_load(File.read(File.join(__dir__, 'default_module_facts.yml'))) + if facts + facts.each do |name, value| + add_custom_fact name.to_sym, value + end + end end From b5da24f5983d66fcc8619f961490410d60721bce Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Thu, 17 Jun 2021 13:57:47 +0200 Subject: [PATCH 137/246] breaking: drop support for puppet 4 / 5 [breaking] --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index cba5d519..1846f6d3 100644 --- a/metadata.json +++ b/metadata.json @@ -58,7 +58,7 @@ "requirements": [ { "name": "puppet", - "version_requirement": ">= 4.10.10 < 7.0.0" + "version_requirement": ">= 6.1.0 < 8.0.0" } ] } From 593ebf2a24fd8a0669b99e87c8784fe3cff3addd Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Thu, 17 Jun 2021 13:58:10 +0200 Subject: [PATCH 138/246] docs(changelog): remove trailing whitespace --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 42ea331d..090629f2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,7 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [6.1.0] ### Fixed -- Fix absolute class name includes +- Fix absolute class name includes - Use gid 0 instead of group name for $host_priv_key_group (#289) - Sort hostkeys (#288) - Do not show diff when installing a ssh private host key (#283) From c8e0a0659ea6c55f0a02c93e6f7c0de431c3aa9e Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Thu, 17 Jun 2021 13:59:02 +0200 Subject: [PATCH 139/246] test: cleanup and whitespace removal --- manifests/client.pp | 14 ++---- manifests/client/config.pp | 5 +- manifests/client/config/user.pp | 2 +- manifests/client/install.pp | 6 ++- manifests/hostkeys.pp | 11 ++--- manifests/init.pp | 1 - manifests/knownhosts.pp | 2 +- manifests/params.pp | 28 +++++------ manifests/server.pp | 14 ++---- manifests/server/config.pp | 2 +- manifests/server/config/setting.pp | 1 - manifests/server/host_key.pp | 13 +++-- manifests/server/install.pp | 9 ++-- manifests/server/service.pp | 2 +- spec/classes/client_spec.rb | 28 ++++++++++- spec/classes/init_spec.rb | 42 ++++++++++++++-- spec/classes/server_spec.rb | 48 ++++++++++++++++--- spec/defines/client/config/user_spec.rb | 18 ++++++- spec/defines/server/config/setting_spec.rb | 18 ++++++- spec/defines/server/host_key_spec.rb | 18 ++++++- .../util/fact_ssh_client_version_spec.rb | 17 +++---- .../fact_ssh_server_version_major_spec.rb | 8 ++-- .../util/fact_ssh_server_version_spec.rb | 17 +++---- tests/init.pp | 1 - tests/server.pp | 1 - 25 files changed, 224 insertions(+), 102 deletions(-) delete mode 100644 tests/init.pp delete mode 100644 tests/server.pp diff --git a/manifests/client.pp b/manifests/client.pp index 080b90f2..edf6c1fe 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -20,14 +20,13 @@ # @param options_absent # Remove options (with augeas style) # -class ssh::client( +class ssh::client ( String $ensure = present, Boolean $storeconfigs_enabled = true, Hash $options = {}, Boolean $use_augeas = false, Array $options_absent = [], ) inherits ssh::params { - # Merge hashes from multiple layer of hierarchy in hiera $hiera_options = lookup("${module_name}::client::options", Optional[Hash], 'deep', {}) @@ -42,23 +41,16 @@ include ssh::client::install include ssh::client::config - anchor { 'ssh::client::start': } - anchor { 'ssh::client::end': } - # Provide option to *not* use storeconfigs/puppetdb, which means not managing # hostkeys and knownhosts if ($storeconfigs_enabled) { include ssh::knownhosts - Anchor['ssh::client::start'] - -> Class['ssh::client::install'] + Class['ssh::client::install'] -> Class['ssh::client::config'] -> Class['ssh::knownhosts'] - -> Anchor['ssh::client::end'] } else { - Anchor['ssh::client::start'] - -> Class['ssh::client::install'] + Class['ssh::client::install'] -> Class['ssh::client::config'] - -> Anchor['ssh::client::end'] } } diff --git a/manifests/client/config.pp b/manifests/client/config.pp index 68885c8c..e8a99a59 100644 --- a/manifests/client/config.pp +++ b/manifests/client/config.pp @@ -1,5 +1,4 @@ -class ssh::client::config -{ +class ssh::client::config { $options = $ssh::client::merged_options $use_augeas = $ssh::client::use_augeas @@ -7,7 +6,7 @@ create_resources('ssh_config', $options) } else { file { $ssh::params::ssh_config: - ensure => present, + ensure => file, owner => '0', group => '0', mode => '0644', diff --git a/manifests/client/config/user.pp b/manifests/client/config/user.pp index 35ec937a..d2f81506 100644 --- a/manifests/client/config/user.pp +++ b/manifests/client/config/user.pp @@ -3,7 +3,7 @@ # Contributor: Remi Ferrand (2015) # Contributor: Tim Meusel (2017) # -define ssh::client::config::user( +define ssh::client::config::user ( Enum['present', 'absent'] $ensure = present, Optional[Stdlib::Absolutepath] $target = undef, Optional[Stdlib::Absolutepath] $user_home_dir = undef, diff --git a/manifests/client/install.pp b/manifests/client/install.pp index 11f0d2bd..d3489ec2 100644 --- a/manifests/client/install.pp +++ b/manifests/client/install.pp @@ -1,5 +1,9 @@ class ssh::client::install { if $ssh::params::client_package_name { - ensure_packages([$ssh::params::client_package_name], {'ensure' => $ssh::client::ensure}) + ensure_packages([ + $ssh::params::client_package_name, + ], { + 'ensure' => $ssh::client::ensure, + }) } } diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index 697b9f6f..b5e45f68 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -3,7 +3,7 @@ # # @api private # -class ssh::hostkeys( +class ssh::hostkeys ( Boolean $export_ipaddresses = true, Optional[String] $storeconfigs_group = undef, Array $extra_aliases = [], @@ -11,22 +11,21 @@ Array $exclude_ipaddresses = [], Boolean $use_trusted_facts = false, ) { - if $use_trusted_facts { $fqdn_real = $trusted['certname'] $hostname_real = $trusted['hostname'] } else { # stick to legacy facts for older versions of facter - $fqdn_real = $facts['fqdn'] - $hostname_real = $facts['hostname'] + $fqdn_real = $facts['networking']['fqdn'] + $hostname_real = $facts['networking']['hostname'] } if $export_ipaddresses == true { $ipaddresses = ssh::ipaddresses($exclude_interfaces) $ipaddresses_real = $ipaddresses - $exclude_ipaddresses - $host_aliases = sort(unique(flatten([ $fqdn_real, $hostname_real, $extra_aliases, $ipaddresses_real ]))) + $host_aliases = sort(unique(flatten([$fqdn_real, $hostname_real, $extra_aliases, $ipaddresses_real]))) } else { - $host_aliases = sort(unique(flatten([ $fqdn_real, $hostname_real, $extra_aliases ]))) + $host_aliases = sort(unique(flatten([$fqdn_real, $hostname_real, $extra_aliases]))) } if $storeconfigs_group { diff --git a/manifests/init.pp b/manifests/init.pp index 1f833e32..ca98a1ab 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -111,7 +111,6 @@ Boolean $use_issue_net = false, Boolean $purge_unmanaged_sshkeys = true, ) inherits ssh::params { - # Merge hashes from multiple layer of hierarchy in hiera $hiera_server_options = lookup("${module_name}::server_options", Optional[Hash], 'deep', {}) $hiera_server_match_block = lookup("${module_name}::server_match_block", Optional[Hash], 'deep', {}) diff --git a/manifests/knownhosts.pp b/manifests/knownhosts.pp index 405a182c..bd6b9d22 100644 --- a/manifests/knownhosts.pp +++ b/manifests/knownhosts.pp @@ -7,7 +7,7 @@ # @param storeconfigs_group # Define the hostkeys group storage # -class ssh::knownhosts( +class ssh::knownhosts ( Boolean $collect_enabled = $ssh::params::collect_enabled, Optional[String] $storeconfigs_group = undef, ) inherits ssh::params { diff --git a/manifests/params.pp b/manifests/params.pp index 5b4b6c17..6925cfe4 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -4,7 +4,7 @@ # @api private # class ssh::params { - case $::osfamily { + case $facts['os']['family'] { 'Debian': { $server_package_name = 'openssh-server' $client_package_name = 'openssh-client' @@ -25,7 +25,7 @@ $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd' $sftp_server_path = '/usr/libexec/openssh/sftp-server' - if versioncmp($::operatingsystemmajrelease, '7') >= 0 { + if versioncmp($facts['os']['release']['major'], '7') >= 0 { $host_priv_key_group = 'ssh_keys' } else { $host_priv_key_group = 0 @@ -83,13 +83,12 @@ $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $host_priv_key_group = 0 - case $::operatingsystem { + case $facts['os']['name'] { 'SLES': { $service_name = 'sshd' - # $::operatingsystemmajrelease isn't available on e.g. SLES 10 - case $::operatingsystemrelease { + case $facts['os']['release']['full'] { /^10\./, /^11\./: { - if ($::architecture == 'x86_64') { + if ($facts['os']['architecture'] == 'x86_64') { $sftp_server_path = '/usr/lib64/ssh/sftp-server' } else { $sftp_server_path = '/usr/lib/ssh/sftp-server' @@ -105,12 +104,12 @@ $sftp_server_path = '/usr/lib/ssh/sftp-server' } default: { - fail("Unsupported platform: ${::osfamily}/${::operatingsystem}") + fail("Unsupported platform: ${facts['os']['family']}/${facts['os']['name']}") } } } 'Solaris': { - case $::operatingsystem { + case $facts['os']['name'] { 'SmartOS': { $server_package_name = undef $client_package_name = undef @@ -130,7 +129,7 @@ $service_name = 'svc:/network/ssh:default' $sftp_server_path = 'internal-sftp' $host_priv_key_group = 0 - case versioncmp($::kernelrelease, '5.10') { + case versioncmp($facts['kernelrelease'], '5.10') { 1: { # Solaris 11 and later $server_package_name = '/service/network/ssh' @@ -143,14 +142,14 @@ } default: { # Solaris 9 and earlier not supported - fail("Unsupported platform: ${::osfamily}/${::kernelrelease}") + fail("Unsupported platform: ${facts['os']['family']}/${facts['kernelrelease']}") } } } } } default: { - case $::operatingsystem { + case $facts['os']['name'] { 'Gentoo': { $server_package_name = 'openssh' $client_package_name = 'openssh' @@ -174,7 +173,7 @@ $host_priv_key_group = 0 } default: { - fail("Unsupported platform: ${::osfamily}/${::operatingsystem}") + fail("Unsupported platform: ${facts['os']['family']}/${facts['os']['name']}") } } } @@ -183,7 +182,7 @@ # ssh & sshd default options: # - OpenBSD doesn't know about UsePAM # - Sun_SSH doesn't know about UsePAM & AcceptEnv; SendEnv & HashKnownHosts - case $::osfamily { + case $facts['os']['family'] { 'OpenBSD': { $sshd_default_options = { 'ChallengeResponseAuthentication' => 'no', @@ -210,7 +209,8 @@ "${sshd_dir}/ssh_host_dsa_key", ], } - $ssh_default_options = { } + $ssh_default_options = { + } } default: { $sshd_default_options = { diff --git a/manifests/server.pp b/manifests/server.pp index 7b3d89b9..e30a6311 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -32,7 +32,7 @@ # @use_issue_net # Add issue_net banner # -class ssh::server( +class ssh::server ( String $ensure = present, Boolean $storeconfigs_enabled = true, Hash $options = {}, @@ -42,7 +42,6 @@ Hash $match_block = {}, Boolean $use_issue_net = false ) inherits ssh::params { - # Merge hashes from multiple layer of hierarchy in hiera $hiera_options = lookup("${module_name}::server::options", Optional[Hash], 'deep', {}) $hiera_match_block = lookup("${module_name}::server::match_block", Optional[Hash], 'deep', {}) @@ -60,28 +59,21 @@ include ssh::server::config include ssh::server::service - anchor { 'ssh::server::start': } - anchor { 'ssh::server::end': } - # Provide option to *not* use storeconfigs/puppetdb, which means not managing # hostkeys and knownhosts if ($storeconfigs_enabled) { include ssh::hostkeys include ssh::knownhosts - Anchor['ssh::server::start'] - -> Class['ssh::server::install'] + Class['ssh::server::install'] -> Class['ssh::server::config'] ~> Class['ssh::server::service'] -> Class['ssh::hostkeys'] -> Class['ssh::knownhosts'] - -> Anchor['ssh::server::end'] } else { - Anchor['ssh::server::start'] - -> Class['ssh::server::install'] + Class['ssh::server::install'] -> Class['ssh::server::config'] ~> Class['ssh::server::service'] - -> Anchor['ssh::server::end'] } create_resources('ssh::server::match_block', $fin_match_block) diff --git a/manifests/server/config.pp b/manifests/server/config.pp index e539a958..ce1fa122 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -36,7 +36,7 @@ if $ssh::server::use_issue_net { file { $ssh::params::issue_net: - ensure => present, + ensure => file, owner => 0, group => 0, mode => '0644', diff --git a/manifests/server/config/setting.pp b/manifests/server/config/setting.pp index 912806bf..20dafc68 100644 --- a/manifests/server/config/setting.pp +++ b/manifests/server/config/setting.pp @@ -29,5 +29,4 @@ content => "\n# added by Ssh::Server::Config::Setting[${name}]\n${key} ${real_value}\n", order => $order, } - } diff --git a/manifests/server/host_key.pp b/manifests/server/host_key.pp index 65e87685..209f057c 100644 --- a/manifests/server/host_key.pp +++ b/manifests/server/host_key.pp @@ -45,7 +45,6 @@ $certificate_source = '', $certificate_content = '', ) { - # Ensure the ssh::server class is included in the manifest include ssh::server @@ -84,7 +83,7 @@ } if $ensure == 'present' { - file {"${name}_pub": + file { "${name}_pub": ensure => $ensure, owner => 0, group => 0, @@ -95,7 +94,7 @@ notify => Class['ssh::server::service'], } - file {"${name}_priv": + file { "${name}_priv": ensure => $ensure, owner => 0, group => $ssh::params::host_priv_key_group, @@ -107,7 +106,7 @@ notify => Class['ssh::server::service'], } } else { - file {"${name}_pub": + file { "${name}_pub": ensure => $ensure, owner => 0, group => 0, @@ -116,7 +115,7 @@ notify => Class['ssh::server::service'], } - file {"${name}_priv": + file { "${name}_priv": ensure => $ensure, owner => 0, group => $ssh::params::host_priv_key_group, @@ -129,7 +128,7 @@ if !empty($certificate_source) or !empty($certificate_content) { if $ensure == 'present' { - file {"${name}_cert": + file { "${name}_cert": ensure => $ensure, owner => 0, group => 0, @@ -140,7 +139,7 @@ notify => Class['ssh::server::service'], } } else { - file {"${name}_cert": + file { "${name}_cert": ensure => $ensure, owner => 0, group => 0, diff --git a/manifests/server/install.pp b/manifests/server/install.pp index 70b22aa4..d6a4a466 100644 --- a/manifests/server/install.pp +++ b/manifests/server/install.pp @@ -6,9 +6,10 @@ class ssh::server::install { include ssh::params if $ssh::params::server_package_name { - ensure_packages( - [$ssh::params::server_package_name], - { 'ensure' => $ssh::server::ensure } - ) + ensure_packages ([ + $ssh::params::server_package_name, + ], { + 'ensure' => $ssh::server::ensure, + }) } } diff --git a/manifests/server/service.pp b/manifests/server/service.pp index ee80a6c8..1aa0757b 100644 --- a/manifests/server/service.pp +++ b/manifests/server/service.pp @@ -10,7 +10,7 @@ class ssh::server::service ( String $ensure = 'running', Boolean $enable = true -){ +) { include ssh::params include ssh::server diff --git a/spec/classes/client_spec.rb b/spec/classes/client_spec.rb index 6dd14339..80115b3e 100644 --- a/spec/classes/client_spec.rb +++ b/spec/classes/client_spec.rb @@ -4,7 +4,19 @@ context 'when on Debian with no other parameters' do let :facts do { - osfamily: 'Debian' + :os => { + 'family' => 'Debian' + }, + 'networking' => { + 'interfaces' => { + 'eth0' => { + 'ip' => '10.0.0.1' + }, + 'eth1' => { + 'ip' => '10.0.1.1' + }, + } + } } end @@ -15,7 +27,19 @@ context 'when on Debian with custom ensure' do let :facts do { - osfamily: 'Debian' + :os => { + 'family' => 'Debian' + }, + 'networking' => { + 'interfaces' => { + 'eth0' => { + 'ip' => '10.0.0.1' + }, + 'eth1' => { + 'ip' => '10.0.1.1' + }, + } + } } end let :params do diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index e2a36b5a..09e1df8b 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -4,7 +4,19 @@ context 'when on Debian with no other parameters' do let :facts do { - osfamily: 'Debian' + :os => { + 'family' => 'Debian' + }, + 'networking' => { + 'interfaces' => { + 'eth0' => { + 'ip' => '10.0.0.1' + }, + 'eth1' => { + 'ip' => '10.0.1.1' + }, + } + } } end @@ -25,7 +37,19 @@ context 'when on Debian with the validate_sshd_file setting' do let :facts do { - osfamily: 'Debian' + :os => { + 'family' => 'Debian' + }, + 'networking' => { + 'interfaces' => { + 'eth0' => { + 'ip' => '10.0.0.1' + }, + 'eth1' => { + 'ip' => '10.0.1.1' + }, + } + } } end let :params do @@ -44,7 +68,19 @@ end standard_facts = { - osfamily: 'Debian' + :os => { + 'family' => 'Debian' + }, + 'networking' => { + 'interfaces' => { + 'eth0' => { + 'ip' => '10.0.0.1' + }, + 'eth1' => { + 'ip' => '10.0.1.1' + }, + } + } } context 'When on Debian without resource purging' do diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index 09cae7b6..54d977e8 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -19,8 +19,22 @@ let :facts do { - osfamily: 'RedHat', - operatingsystemmajrelease: '6' + :os => { + 'family' => 'RedHat', + 'release' => { + 'major' => '6' + } + }, + 'networking' => { + 'interfaces' => { + 'eth0' => { + 'ip' => '10.0.0.1' + }, + 'eth1' => { + 'ip' => '10.0.1.1' + }, + } + } } end @@ -64,7 +78,19 @@ ['Debian'].each do |osfamily| let :facts do { - osfamily: osfamily + :os => { + 'family' => osfamily + }, + 'networking' => { + 'interfaces' => { + 'eth0' => { + 'ip' => '10.0.0.1' + }, + 'eth1' => { + 'ip' => '10.0.1.1' + }, + } + } } end @@ -100,9 +126,19 @@ describe 'on Arch' do let :facts do { - osfamily: 'Archlinux', - lsbdistdescription: 'Arch Linux', - lsbdistid: 'Arch' + :os => { + 'family' => 'Archlinux' + }, + 'networking' => { + 'interfaces' => { + 'eth0' => { + 'ip' => '10.0.0.1' + }, + 'eth1' => { + 'ip' => '10.0.1.1' + }, + } + } } end diff --git a/spec/defines/client/config/user_spec.rb b/spec/defines/client/config/user_spec.rb index 47a2f8ec..e0f10345 100644 --- a/spec/defines/client/config/user_spec.rb +++ b/spec/defines/client/config/user_spec.rb @@ -17,8 +17,22 @@ let :facts do { - osfamily: 'RedHat', - operatingsystemmajrelease: '6' + :os => { + 'family' => 'RedHat', + 'release' => { + 'major' => '6' + } + }, + 'networking' => { + 'interfaces' => { + 'eth0' => { + 'ip' => '10.0.0.1' + }, + 'eth1' => { + 'ip' => '10.0.1.1' + }, + } + } } end diff --git a/spec/defines/server/config/setting_spec.rb b/spec/defines/server/config/setting_spec.rb index 4d95a29c..cc4ebf8f 100644 --- a/spec/defines/server/config/setting_spec.rb +++ b/spec/defines/server/config/setting_spec.rb @@ -7,8 +7,22 @@ let :facts do { - osfamily: 'RedHat', - operatingsystemmajrelease: '6' + :os => { + 'family' => 'RedHat', + 'release' => { + 'major' => '6' + }, + }, + 'networking' => { + 'interfaces' => { + 'eth0' => { + 'ip' => '10.0.0.1' + }, + 'eth1' => { + 'ip' => '10.0.1.1' + }, + } + } } end diff --git a/spec/defines/server/host_key_spec.rb b/spec/defines/server/host_key_spec.rb index a009c537..3be4d312 100644 --- a/spec/defines/server/host_key_spec.rb +++ b/spec/defines/server/host_key_spec.rb @@ -9,8 +9,22 @@ let :facts do { - osfamily: 'RedHat', - operatingsystemmajrelease: '6' + :os => { + 'family' => 'RedHat', + 'release' => { + 'major' => '6' + }, + }, + 'networking' => { + 'interfaces' => { + 'eth0' => { + 'ip' => '10.0.0.1' + }, + 'eth1' => { + 'ip' => '10.0.1.1' + }, + } + } } end diff --git a/spec/unit/facter/util/fact_ssh_client_version_spec.rb b/spec/unit/facter/util/fact_ssh_client_version_spec.rb index 76f2c55b..877419fa 100644 --- a/spec/unit/facter/util/fact_ssh_client_version_spec.rb +++ b/spec/unit/facter/util/fact_ssh_client_version_spec.rb @@ -1,12 +1,14 @@ require 'spec_helper' describe 'ssh_client_version_full' do + before { Facter.clear } + after { Facter.clear } + context 'when on a Linux host' do before do - Facter.clear - Facter.fact(:kernel).stubs(:value).returns('linux') - Facter::Util::Resolution.stubs(:which).with('ssh').returns('/usr/bin/ssh') - Facter::Util::Resolution.stubs(:exec).with('ssh -V 2>&1').returns('OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014') + allow(Facter.fact(:kernel)).to receive(:value).and_return('linux') + allow(Facter::Util::Resolution).to receive(:which).with('ssh').and_return('/usr/bin/ssh') + allow(Facter::Util::Resolution).to receive(:exec).with('ssh -V 2>&1').and_return('OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014') end it 'execs ssh -V and returns full version number' do expect(Facter.fact(:ssh_client_version_full).value).to eq('6.6.1p1') @@ -14,10 +16,9 @@ end context 'when on a SunOS host' do before do - Facter.clear - Facter.fact(:kernel).stubs(:value).returns('SunOS') - Facter::Util::Resolution.stubs(:which).with('ssh').returns('/usr/bin/ssh') - Facter::Util::Resolution.stubs(:exec).with('ssh -V 2>&1').returns('Sun_SSH_2.4, SSH protocols 1.5/2.0, OpenSSL 0x100020bf') + allow(Facter.fact(:kernel)).to receive(:value).and_return('SunOS') + allow(Facter::Util::Resolution).to receive(:which).with('ssh').and_return('/usr/bin/ssh') + allow(Facter::Util::Resolution).to receive(:exec).with('ssh -V 2>&1').and_return('Sun_SSH_2.4, SSH protocols 1.5/2.0, OpenSSL 0x100020bf') end it 'execs ssh -V and returns full version number' do expect(Facter.fact(:ssh_client_version_full).value).to eq('2.4') diff --git a/spec/unit/facter/util/fact_ssh_server_version_major_spec.rb b/spec/unit/facter/util/fact_ssh_server_version_major_spec.rb index 55e91bea..d2f18f57 100644 --- a/spec/unit/facter/util/fact_ssh_server_version_major_spec.rb +++ b/spec/unit/facter/util/fact_ssh_server_version_major_spec.rb @@ -3,14 +3,14 @@ describe Facter::Util::Fact do before do Facter.clear - Facter.fact(:kernel).stubs(:value).returns('linux') + allow(Facter.fact(:kernel)).to receive(:value).and_return('linux') end describe 'ssh_server_version_major' do context 'with 3 point semver syntax (6.6.1p1)' do context 'with ssh_server_version_full fact present returns major version' do before do - Facter.fact(:ssh_server_version_full).stubs(:value).returns('6.6.1p1') + allow(Facter.fact(:ssh_server_version_full)).to receive(:value).and_return('6.6.1p1') end it do expect(Facter.fact(:ssh_server_version_major).value).to eq('6') @@ -21,7 +21,7 @@ context 'with 2 point semver syntax (7.2p2)' do context 'with ssh_server_version_full fact present returns major version' do before do - Facter.fact(:ssh_server_version_full).stubs(:value).returns('7.2p2') + allow(Facter.fact(:ssh_server_version_full)).to receive(:value).and_return('7.2p2') end it do expect(Facter.fact(:ssh_server_version_major).value).to eq('7') @@ -31,7 +31,7 @@ context 'without ssh_server_version_full fact present returns nil' do before do - Facter.fact(:ssh_server_version_full).stubs(:value).returns(nil) + allow(Facter.fact(:ssh_server_version_full)).to receive(:value).and_return(nil) end it do expect(Facter.fact(:ssh_server_version_major).value).to be_nil diff --git a/spec/unit/facter/util/fact_ssh_server_version_spec.rb b/spec/unit/facter/util/fact_ssh_server_version_spec.rb index d4030b3b..96d9babd 100644 --- a/spec/unit/facter/util/fact_ssh_server_version_spec.rb +++ b/spec/unit/facter/util/fact_ssh_server_version_spec.rb @@ -1,12 +1,14 @@ require 'spec_helper' describe 'ssh_server_version_full' do + before { Facter.clear } + after { Facter.clear } + context 'when on a Linux host' do before do - Facter.clear - Facter.fact(:kernel).stubs(:value).returns('linux') - Facter::Util::Resolution.stubs(:which).with('sshd').returns('/usr/sbin/sshd') - Facter::Util::Resolution.stubs(:exec).with('sshd -V 2>&1').returns('OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014') + allow(Facter.fact(:kernel)).to receive(:value).and_return('linux') + allow(Facter::Util::Resolution).to receive(:which).with('sshd').and_return('/usr/bin/sshd') + allow(Facter::Util::Resolution).to receive(:exec).with('sshd -V 2>&1').and_return('OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014') end it 'execs sshd -V and returns full version number' do expect(Facter.fact(:ssh_server_version_full).value).to eq('6.6.1p1') @@ -14,10 +16,9 @@ end context 'when on a SunOS host' do before do - Facter.clear - Facter.fact(:kernel).stubs(:value).returns('SunOS') - Facter::Util::Resolution.stubs(:which).with('sshd').returns('/usr/bin/sshd') - Facter::Util::Resolution.stubs(:exec).with('sshd -V 2>&1').returns('Sun_SSH_2.4, SSH protocols 1.5/2.0, OpenSSL 0x100020bf') + allow(Facter.fact(:kernel)).to receive(:value).and_return('SunOS') + allow(Facter::Util::Resolution).to receive(:which).with('sshd').and_return('/usr/bin/sshd') + allow(Facter::Util::Resolution).to receive(:exec).with('sshd -V 2>&1').and_return('Sun_SSH_2.4, SSH protocols 1.5/2.0, OpenSSL 0x100020bf') end it 'execs sshd -V and returns full version number' do expect(Facter.fact(:ssh_server_version_full).value).to eq('2.4') diff --git a/tests/init.pp b/tests/init.pp deleted file mode 100644 index 6687c2c7..00000000 --- a/tests/init.pp +++ /dev/null @@ -1 +0,0 @@ -class { '::ssh::server': } diff --git a/tests/server.pp b/tests/server.pp deleted file mode 100644 index 93a23812..00000000 --- a/tests/server.pp +++ /dev/null @@ -1 +0,0 @@ -include ::ssh::server From 2b12f49b41d39a5eca10d6f94d8a2fd2fe40a265 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Fri, 18 Jun 2021 16:20:53 +0200 Subject: [PATCH 140/246] new release: v7.0.0 --- CHANGELOG.md | 9 +++++++++ metadata.json | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 090629f2..62a5bfd9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [7.0.0] +### Fixed +- Fix grammar and spelling in various places +### Changed +- Use GitHub Actions instead of TravisCI +- Update module dependencies +### Removed +- Dropped support for puppet 4 and 5 (Breaking Change) + ## [6.2.0] ### Changed - support older facter versions (#293) diff --git a/metadata.json b/metadata.json index 1846f6d3..87e98515 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "6.2.0", + "version": "7.0.0", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "description": "Manage SSH client and server via puppet", From eeda1b8a8994e0dac95c63cee9404dfed626369e Mon Sep 17 00:00:00 2001 From: Andrew Gunnerson Date: Mon, 21 Jun 2021 12:47:26 -0400 Subject: [PATCH 141/246] ssh_config: Don't populate options that are set to undef Undef values are translated into `nil` in erb templates in newer versions of Puppet. This commit is a direct port of commit 86914f4aebcaed97c512cde7acafc52771ef83c4, which made the same change for `sshd_config.erb`. Signed-off-by: Andrew Gunnerson --- templates/ssh_config.erb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb index 8cf7db34..5546a106 100644 --- a/templates/ssh_config.erb +++ b/templates/ssh_config.erb @@ -21,7 +21,7 @@ <%- v.sort.each do |key, value| -%> <%- if value.is_a?(Array) -%> <%- value.each do |a| -%> - <%- if a != '' -%> + <%- if a != '' && a != nil -%> <%- line_content = "#{key} #{bool2str(a)}" -%> <%- if line_content.length > 1020 -%> <%- fail("Line exceeds 1024 characters: #{line_content}") -%> @@ -30,7 +30,7 @@ <%- end -%> <%- end -%> <%- end -%> - <%- elsif value != '' -%> + <%- elsif value != '' && value != nil -%> <%- line_content = "#{key} #{bool2str(value)}" -%> <%- if line_content.length > 1020 -%> <%- fail("Line exceeds 1024 characters: #{line_content}") -%> @@ -41,7 +41,7 @@ <%- else -%> <%- if v.is_a?(Array) -%> <%- v.each do |a| -%> -<%- if a != '' -%> +<%- if a != '' && a != nil -%> <%- line_content = "#{k} #{bool2str(a)}" -%> <%- if line_content.length > 1024 -%> <%- fail("Line exceeds 1024 characters: #{line_content}") -%> @@ -49,7 +49,7 @@ <%= k %> <%= bool2str(a) %> <%- end -%> <%- end -%> -<%- elsif v != :undef and v != '' -%> +<%- elsif v != :undef && v != '' && v != nil -%> <%- line_content = "#{k} #{bool2str(v)}" -%> <%- if line_content.length > 1024 -%> <%- fail("Line exceeds 1024 characters: #{line_content}") -%> From d108f1beee2a6db1301c76e50d2ea35e90965c40 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 14 Aug 2021 12:18:36 +0200 Subject: [PATCH 142/246] new release: v7.0.1 --- CHANGELOG.md | 4 ++++ metadata.json | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 62a5bfd9..148e2964 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [7.0.1] +### Fixed +- ssh_config: Don't populate options that are set to undef (#312) + ## [7.0.0] ### Fixed - Fix grammar and spelling in various places diff --git a/metadata.json b/metadata.json index 87e98515..1b561fa4 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "7.0.0", + "version": "7.0.1", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "description": "Manage SSH client and server via puppet", From ce0672d9873d904818182ba4f48fb0254374ee7d Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 14 Aug 2021 12:19:54 +0200 Subject: [PATCH 143/246] replace travis-ci badge with Github Actions badge in README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5b482ab9..3c6770ca 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ [![Puppet Forge](http://img.shields.io/puppetforge/v/saz/ssh.svg)](https://forge.puppetlabs.com/saz/ssh) [![Puppet Forge downloads](https://img.shields.io/puppetforge/dt/saz/ssh.svg)](https://forge.puppetlabs.com/saz/ssh) [![Puppet Forge score](https://img.shields.io/puppetforge/f/saz/ssh.svg)](https://forge.puppetlabs.com/saz/ssh) -[![Build Status](https://travis-ci.org/saz/puppet-ssh.png)](https://travis-ci.org/saz/puppet-ssh) +[![Build Status](https://github.com/saz/puppet-ssh/workflows/CI/badge.svg)](https://github.com/saz/puppet-ssh/actions?query=workflow%3ACI) Manage SSH client and server via Puppet. Source: https://github.com/saz/puppet-ssh From 84f98ba78c3df36de4042698e05c1dcf9454772a Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 14 Aug 2021 12:31:27 +0200 Subject: [PATCH 144/246] fix spelling mistake in init.pp --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index ca98a1ab..ffeb1a73 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -77,7 +77,7 @@ # Add users options for ssh client config # # @param version -# Define package version (pacakge ressource) +# Define package version (package ressource) # # @param storeconfigs_enabled # Default value for storeconfigs_enabled (client and server) From 46c830ed0b3fff623cd790d5970876c63383380d Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 14 Aug 2021 13:05:19 +0200 Subject: [PATCH 145/246] Update from saz modulesync_config --- .editorconfig | 3 ++- .github/workflows/ci.yml | 17 ++++++++++------- .github/workflows/release.yml | 5 +++++ .gitignore | 3 +++ .msync.yml | 3 +++ .overcommit.yml | 3 ++- .pmtignore | 3 +++ .rspec | 3 +++ .rspec_parallel | 3 +++ .rubocop.yml | 3 +++ .yardopts | 2 -- Dockerfile | 3 +++ Gemfile | 19 ++++++++++--------- Rakefile | 23 +++++++++++++++++------ spec/spec_helper.rb | 5 ++--- 15 files changed, 69 insertions(+), 29 deletions(-) delete mode 100644 .yardopts diff --git a/.editorconfig b/.editorconfig index d77700e3..ecb10a80 100644 --- a/.editorconfig +++ b/.editorconfig @@ -1,6 +1,7 @@ # editorconfig.org -# MANAGED BY MODULESYNC +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ root = true diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2b1904f0..086a667a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,3 +1,7 @@ +--- +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + name: CI on: @@ -10,20 +14,19 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 40 outputs: - beaker_setfiles: ${{ steps.get-outputs.outputs.beaker_setfiles }} - puppet_major_versions: ${{ steps.get-outputs.outputs.puppet_major_versions }} puppet_unit_test_matrix: ${{ steps.get-outputs.outputs.puppet_unit_test_matrix }} + github_action_test_matrix: ${{ steps.get-outputs.outputs.github_action_test_matrix }} env: - BUNDLE_WITHOUT: development:release + BUNDLE_WITHOUT: development:system_tests:release steps: - uses: actions/checkout@v2 - name: Setup ruby uses: ruby/setup-ruby@v1 with: - ruby-version: '2.7' + ruby-version: '3.0' bundler-cache: true - - name: Run rake validate - run: bundle exec rake validate + - name: Run static validations + run: bundle exec rake validate lint check - name: Run rake rubocop run: bundle exec rake rubocop - name: Setup Test Matrix @@ -50,4 +53,4 @@ jobs: ruby-version: ${{ matrix.ruby }} bundler-cache: true - name: Run tests - run: bundle exec rake + run: bundle exec rake parallel_spec diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 68b85284..1e4f916c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,3 +1,7 @@ +--- +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + name: Release on: @@ -12,6 +16,7 @@ jobs: deploy: name: 'deploy to forge' runs-on: ubuntu-latest + if: github.repository_owner == 'saz' steps: - name: Checkout repository uses: actions/checkout@v2 diff --git a/.gitignore b/.gitignore index e9b3cf4b..9b95224c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,6 @@ +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + pkg/ Gemfile.lock Gemfile.local diff --git a/.msync.yml b/.msync.yml index 57ff5038..9c9f18f9 100644 --- a/.msync.yml +++ b/.msync.yml @@ -1,2 +1,5 @@ --- +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + modulesync_config_version: '4.1.0' diff --git a/.overcommit.yml b/.overcommit.yml index 0af0fdc0..d367adae 100644 --- a/.overcommit.yml +++ b/.overcommit.yml @@ -1,4 +1,5 @@ -# Managed by https://github.com/voxpupuli/modulesync_configs +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ # # Hooks are only enabled if you take action. # diff --git a/.pmtignore b/.pmtignore index 33a8c65d..65f50514 100644 --- a/.pmtignore +++ b/.pmtignore @@ -1,3 +1,6 @@ +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + docs/ pkg/ Gemfile diff --git a/.rspec b/.rspec index 8c18f1ab..f634583d 100644 --- a/.rspec +++ b/.rspec @@ -1,2 +1,5 @@ +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + --format documentation --color diff --git a/.rspec_parallel b/.rspec_parallel index e4d136b7..a9a84f85 100644 --- a/.rspec_parallel +++ b/.rspec_parallel @@ -1 +1,4 @@ +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + --format progress diff --git a/.rubocop.yml b/.rubocop.yml index 198a3599..53ac1898 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -1,3 +1,6 @@ --- +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + inherit_gem: voxpupuli-test: rubocop.yml diff --git a/.yardopts b/.yardopts deleted file mode 100644 index 3687f518..00000000 --- a/.yardopts +++ /dev/null @@ -1,2 +0,0 @@ ---markup markdown ---output-dir docs/ diff --git a/Dockerfile b/Dockerfile index a51c6416..e3cf307f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,3 +1,6 @@ +# MANAGED BY MODULESYNC +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + FROM ruby:2.7 WORKDIR /opt/puppet diff --git a/Gemfile b/Gemfile index f4855f64..d5753f1d 100644 --- a/Gemfile +++ b/Gemfile @@ -1,9 +1,13 @@ +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + source ENV['GEM_SOURCE'] || "https://rubygems.org" group :test do - gem 'voxpupuli-test', '~> 2.1', :require => false - gem 'coveralls', :require => false - gem 'simplecov-console', :require => false + gem 'voxpupuli-test', '~> 2.5', :require => false + gem 'coveralls', :require => false + gem 'simplecov-console', :require => false + gem 'puppet_metadata', '~> 1.0', :require => false end group :development do @@ -12,22 +16,19 @@ group :development do end group :system_tests do - gem 'puppet_metadata', '~> 0.3.0', :require => false - gem 'voxpupuli-acceptance', :require => false + gem 'voxpupuli-acceptance', '~> 1.0', :require => false end group :release do gem 'github_changelog_generator', '>= 1.16.1', :require => false - gem 'puppet-blacksmith', :require => false - gem 'voxpupuli-release', :require => false + gem 'voxpupuli-release', '>= 1.0.2', :require => false gem 'puppet-strings', '>= 2.2', :require => false end -gem 'puppetlabs_spec_helper', '~> 2.0', :require => false gem 'rake', :require => false gem 'facter', ENV['FACTER_GEM_VERSION'], :require => false, :groups => [:test] -puppetversion = ENV['PUPPET_VERSION'] || '~> 6.0' +puppetversion = ENV['PUPPET_VERSION'] || '>= 6.0' gem 'puppet', puppetversion, :require => false, :groups => [:test] # vim: syntax=ruby diff --git a/Rakefile b/Rakefile index 1e8a8980..5dacb6a4 100644 --- a/Rakefile +++ b/Rakefile @@ -1,9 +1,22 @@ +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + # Attempt to load voxupuli-test (which pulls in puppetlabs_spec_helper), # otherwise attempt to load it directly. begin require 'voxpupuli/test/rake' rescue LoadError - require 'puppetlabs_spec_helper/rake_tasks' + begin + require 'puppetlabs_spec_helper/rake_tasks' + rescue LoadError + end +end + +# load optional tasks for acceptance +# only available if gem group releases is installed +begin + require 'voxpupuli/acceptance/rake' +rescue LoadError end # load optional tasks for releases @@ -34,14 +47,12 @@ begin require 'github_changelog_generator/task' require 'puppet_blacksmith' GitHubChangelogGenerator::RakeTask.new :changelog do |config| - version = (Blacksmith::Modulefile.new).version - config.future_release = "v#{version}" if version =~ /^\d+\.\d+.\d+$/ + metadata = Blacksmith::Modulefile.new + config.future_release = "v#{metadata.version}" if metadata.version =~ /^\d+\.\d+.\d+$/ config.header = "# Changelog\n\nAll notable changes to this project will be documented in this file.\nEach new release typically also includes the latest modulesync defaults.\nThese should not affect the functionality of the module." config.exclude_labels = %w{duplicate question invalid wontfix wont-fix modulesync skip-changelog} config.user = 'saz' - metadata_json = File.join(File.dirname(__FILE__), 'metadata.json') - metadata = JSON.load(File.read(metadata_json)) - config.project = metadata['name'] + config.project = metadata.metadata['name'] end # Workaround for https://github.com/github-changelog-generator/github-changelog-generator/issues/715 diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index d266f6b4..fb5f0cbe 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,6 +1,5 @@ -# This file is managed via modulesync -# https://github.com/voxpupuli/modulesync -# https://github.com/voxpupuli/modulesync_config +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ # puppetlabs_spec_helper will set up coverage if the env variable is set. # We want to do this if lib exists and it hasn't been explicitly set. From 9961087ffa51e47c14d1f9dd32118caa5d788d3e Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 14 Aug 2021 13:50:18 +0200 Subject: [PATCH 146/246] fix tests for package ensure --- spec/classes/client_spec.rb | 8 ++------ spec/classes/server_spec.rb | 17 ++++++++++++----- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/spec/classes/client_spec.rb b/spec/classes/client_spec.rb index 80115b3e..362d4b21 100644 --- a/spec/classes/client_spec.rb +++ b/spec/classes/client_spec.rb @@ -20,9 +20,7 @@ } end - it do - is_expected.to contain_package('openssh-client').with(ensure: 'present') - end + it { is_expected.to contain_package('openssh-client').with_ensure('installed') } end context 'when on Debian with custom ensure' do let :facts do @@ -48,8 +46,6 @@ } end - it do - is_expected.to contain_package('openssh-client').with(ensure: 'latest') - end + it { is_expected.to contain_package('openssh-client').with_ensure('latest') } end end diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index 54d977e8..ea79d80b 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -96,7 +96,13 @@ describe "on supported osfamily: #{osfamily}" do it { is_expected.to contain_class('ssh::params') } - it { is_expected.to contain_package('openssh-server').with_ensure(param_hash[:ensure]) } + it do + if param_hash[:ensure] == 'present' + is_expected.to contain_package('openssh-server').with_ensure('installed') + else + is_expected.to contain_package('openssh-server').with_ensure(param_hash[:ensure]) + end + end it do is_expected.to contain_service('ssh').with( @@ -144,10 +150,11 @@ it { is_expected.to contain_class('ssh::params') } it do - is_expected.to contain_package('openssh').with( - ensure: param_hash[:ensure], - name: 'openssh' - ) + if param_hash[:ensure] == 'present' + is_expected.to contain_package('openssh').with_ensure('installed').with(name: 'openssh') + else + is_expected.to contain_package('openssh').with_ensure(param_hash[:ensure]).with(name: 'openssh') + end end it do From c356a5ad3b8a9c6fb3cb5568f8b91ee576ac2ed0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Tarti=C3=A8re?= Date: Wed, 25 Aug 2021 13:45:39 -1000 Subject: [PATCH 147/246] Allow stdlib 8.0.0 --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 1b561fa4..90a05c7c 100644 --- a/metadata.json +++ b/metadata.json @@ -10,7 +10,7 @@ "dependencies": [ { "name": "puppetlabs/stdlib", - "version_requirement": ">= 4.25.0 < 8.0.0" + "version_requirement": ">= 4.25.0 < 9.0.0" }, { "name": "puppetlabs/concat", From e5eec25fd9bc9da5dd21c986f9bb6d59e1f12518 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Thu, 26 Aug 2021 09:35:28 +0200 Subject: [PATCH 148/246] new release: v7.0.2 --- CHANGELOG.md | 4 ++++ metadata.json | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 148e2964..0c50c90f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [7.0.2] +### Added +- allow stdlib < 9.0.0 (#314) + ## [7.0.1] ### Fixed - ssh_config: Don't populate options that are set to undef (#312) diff --git a/metadata.json b/metadata.json index 90a05c7c..69ce97e2 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "7.0.1", + "version": "7.0.2", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "description": "Manage SSH client and server via puppet", From e85d50d252a57cd1522bdb0a8a22cba0677557e1 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sun, 29 Aug 2021 18:57:35 +0200 Subject: [PATCH 149/246] Gentoo: Fix path to sftp server I don't know since when, but some time ago the path got updated. On an up2date Gentoo box: ``` root@hypervisor01 ~ # equery files openssh | grep sftp-server$ /usr/lib64/misc/sftp-server root@hypervisor01 ~ # ``` --- manifests/params.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/params.pp b/manifests/params.pp index 6925cfe4..53768128 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -158,7 +158,7 @@ $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd' - $sftp_server_path = '/usr/lib/misc/sftp-server' + $sftp_server_path = '/usr/lib64/misc/sftp-server' $host_priv_key_group = 0 } 'Amazon': { From b84d4dcea802ce0a12e7d1d96bd71e993cd579bd Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Thu, 2 Sep 2021 16:58:48 +0200 Subject: [PATCH 150/246] new release: v8.0.0 --- CHANGELOG.md | 4 ++++ metadata.json | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c50c90f..1ef2adb1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [8.0.0] +### Changed +- update path to sftp server on Gentoo (#315, breaking change) + ## [7.0.2] ### Added - allow stdlib < 9.0.0 (#314) diff --git a/metadata.json b/metadata.json index 69ce97e2..4c523b6b 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "7.0.2", + "version": "8.0.0", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "description": "Manage SSH client and server via puppet", From a79c91c1d272fc2315c58a7ecd8ed3f9f4e6cc79 Mon Sep 17 00:00:00 2001 From: Kenyon Ralph Date: Fri, 18 Feb 2022 16:38:45 -0800 Subject: [PATCH 151/246] hostkeys.pp: remove "@api private" marking This does not appear to be a private API. There is no other "public API" way to supply arguments to this class. --- manifests/hostkeys.pp | 2 -- 1 file changed, 2 deletions(-) diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index b5e45f68..6a189812 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -1,8 +1,6 @@ # @summary # This class manages hostkeys # -# @api private -# class ssh::hostkeys ( Boolean $export_ipaddresses = true, Optional[String] $storeconfigs_group = undef, From 7f1a117231e5d262e5d5e5b29bf8fa98c488d143 Mon Sep 17 00:00:00 2001 From: Simon Hoenscheid Date: Wed, 23 Feb 2022 14:28:37 +0100 Subject: [PATCH 152/246] improve metadata, improve spec tests --- metadata.json | 75 ++++- spec/classes/client_spec.rb | 63 ++--- spec/classes/init_spec.rb | 112 ++------ spec/classes/server_spec.rb | 245 +++++++--------- spec/defines/client/config/user_spec.rb | 267 ++++++++---------- spec/defines/server/config/setting_spec.rb | 135 ++++----- spec/defines/server/host_key_spec.rb | 313 ++++++++++----------- 7 files changed, 527 insertions(+), 683 deletions(-) diff --git a/metadata.json b/metadata.json index 4c523b6b..c7a36729 100644 --- a/metadata.json +++ b/metadata.json @@ -3,7 +3,6 @@ "version": "8.0.0", "author": "saz", "summary": "Manage SSH client and server via Puppet.", - "description": "Manage SSH client and server via puppet", "license": "Apache-2.0", "source": "git://github.com/saz/puppet-ssh.git", "project_page": "https://github.com/saz/puppet-ssh", @@ -19,37 +18,91 @@ ], "operatingsystem_support": [ { - "operatingsystem": "RedHat" + "operatingsystem": "RedHat", + "operatingsystemrelease": [ + "7", + "8", + "9" + ] }, { - "operatingsystem": "CentOS" + "operatingsystem": "CentOS", + "operatingsystemrelease": [ + "7", + "8", + "9" + ] }, { - "operatingsystem": "OracleLinux" + "operatingsystem": "OracleLinux", + "operatingsystemrelease": [ + "7", + "8", + "9" + ] }, { - "operatingsystem": "Scientific" + "operatingsystem": "Scientific", + "operatingsystemrelease": [ + "7", + "8", + "9" + ] }, { - "operatingsystem": "Debian" + "operatingsystem": "Debian", + "operatingsystemrelease": [ + "10", + "11" + ] }, { - "operatingsystem": "Ubuntu" + "operatingsystem": "Ubuntu", + "operatingsystemrelease": [ + "18.04", + "20.04" + ] }, { - "operatingsystem": "FreeBSD" + "operatingsystem": "SLES", + "operatingsystemrelease": [ + "12", + "15" + ] }, { - "operatingsystem": "DragonFly" + "operatingsystem": "OpenSuSE", + "operatingsystemrelease": [ + "42" + ] }, { - "operatingsystem": "OpenBSD" + "operatingsystem": "FreeBSD", + "operatingsystemrelease": [ + "12", + "13" + ] + }, + { + "operatingsystem": "DragonFly", + "operatingsystemrelease": [ + "6" + ] + }, + { + "operatingsystem": "OpenBSD", + "operatingsystemrelease": [ + "7" + ] }, { "operatingsystem": "Gentoo" }, { - "operatingsystem": "Solaris" + "operatingsystem": "Solaris", + "operatingsystemrelease": [ + "11" + ] }, { "operatingsystem": "ArchLinux" diff --git a/spec/classes/client_spec.rb b/spec/classes/client_spec.rb index 362d4b21..c9e63622 100644 --- a/spec/classes/client_spec.rb +++ b/spec/classes/client_spec.rb @@ -1,51 +1,28 @@ require 'spec_helper' describe 'ssh::client', type: 'class' do - context 'when on Debian with no other parameters' do - let :facts do - { - :os => { - 'family' => 'Debian' - }, - 'networking' => { - 'interfaces' => { - 'eth0' => { - 'ip' => '10.0.0.1' - }, - 'eth1' => { - 'ip' => '10.0.1.1' - }, - } - } - } - end + on_supported_os.each do |os, os_facts| + let(:facts) { os_facts } - it { is_expected.to contain_package('openssh-client').with_ensure('installed') } - end - context 'when on Debian with custom ensure' do - let :facts do - { - :os => { - 'family' => 'Debian' - }, - 'networking' => { - 'interfaces' => { - 'eth0' => { - 'ip' => '10.0.0.1' - }, - 'eth1' => { - 'ip' => '10.0.1.1' - }, + context "on #{os}" do + context 'with all defaults' do + it { is_expected.to compile.with_all_deps } + end + context 'when on Debian with no other parameters', if: %w[Debian].include?(os_facts[:os]['Family']) do + it { is_expected.to contain_package('openssh-client').with_ensure('installed') } + end + context 'when on Debian with no other parameters', if: %w[RedHat].include?(os_facts[:os]['Family']) do + it { is_expected.to contain_package('openssh-clients').with_ensure('installed') } + end + context 'when on Debian with custom ensure', if: %w[Debian].include?(os_facts[:os]['Family']) do + let :params do + { + ensure: 'latest' } - } - } - end - let :params do - { - ensure: 'latest' - } - end + end - it { is_expected.to contain_package('openssh-client').with_ensure('latest') } + it { is_expected.to contain_package('openssh-client').with_ensure('latest') } + end + end end end diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 09e1df8b..9f9cb1e2 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -1,98 +1,38 @@ require 'spec_helper' describe 'ssh', type: 'class' do - context 'when on Debian with no other parameters' do - let :facts do - { - :os => { - 'family' => 'Debian' - }, - 'networking' => { - 'interfaces' => { - 'eth0' => { - 'ip' => '10.0.0.1' - }, - 'eth1' => { - 'ip' => '10.0.1.1' - }, - } - } - } - end - - it do - is_expected.to contain_class('ssh::client') - end - it do - is_expected.to contain_class('ssh::server') - end - it do - is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd(nil) - end - - it do - is_expected.to contain_resources('sshkey').with_purge(true) - end + on_supported_os.each do |os, os_facts| + let(:facts) { os_facts } - context 'when on Debian with the validate_sshd_file setting' do - let :facts do - { - :os => { - 'family' => 'Debian' - }, - 'networking' => { - 'interfaces' => { - 'eth0' => { - 'ip' => '10.0.0.1' - }, - 'eth1' => { - 'ip' => '10.0.1.1' - }, - } - } - } + context "on #{os}" do + context 'with all defaults' do + it { is_expected.to compile.with_all_deps } end - let :params do - { - validate_sshd_file: true - } + context 'with the validate_sshd_file setting' do + let :params do + { + validate_sshd_file: true + } + end + + it { is_expected.to contain_class('ssh::client') } + it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd('/usr/sbin/sshd -tf %') } end + context 'without resource purging' do + let :params do + { + purge_unmanaged_sshkeys: false + } + end - it do - is_expected.to contain_class('ssh::client') + it { is_expected.not_to contain_resources('sshkey') } end - it do - is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd('/usr/sbin/sshd -tf %') + context 'with no other parameters' do + it { is_expected.to contain_class('ssh::client') } + it { is_expected.to contain_class('ssh::server') } + it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd(nil) } + it { is_expected.to contain_resources('sshkey').with_purge(true) } end end end - - standard_facts = { - :os => { - 'family' => 'Debian' - }, - 'networking' => { - 'interfaces' => { - 'eth0' => { - 'ip' => '10.0.0.1' - }, - 'eth1' => { - 'ip' => '10.0.1.1' - }, - } - } - } - - context 'When on Debian without resource purging' do - let :facts do - standard_facts - end - let :params do - { 'purge_unmanaged_sshkeys' => false } - end - - it do - is_expected.not_to contain_resources('sshkey') - end - end end diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index ea79d80b..143142c5 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -1,123 +1,92 @@ require 'spec_helper' describe 'ssh::server' do - let :default_params do - { - ensure: 'present', - storeconfigs_enabled: true - } - end + on_supported_os.each do |os, os_facts| + let(:facts) { os_facts } - describe 'providing options' do - let :params do - { - options: { - 'TestString' => '/usr/bin', - 'TestBoolean' => true + context "on #{os}" do + let :default_params do + { + ensure: 'present', + storeconfigs_enabled: true } - } - end - - let :facts do - { - :os => { - 'family' => 'RedHat', - 'release' => { - 'major' => '6' - } - }, - 'networking' => { - 'interfaces' => { - 'eth0' => { - 'ip' => '10.0.0.1' - }, - 'eth1' => { - 'ip' => '10.0.1.1' - }, - } - } - } - end - - it do - is_expected.to contain_concat__fragment('global config').with( - target: '/etc/ssh/sshd_config', - content: '# File is managed by Puppet - -AcceptEnv LANG LC_* -ChallengeResponseAuthentication no -PrintMotd no -Subsystem sftp /usr/libexec/openssh/sftp-server -TestBoolean yes -TestString /usr/bin -UsePAM yes -X11Forwarding yes -' - # rubocop:enable EmptyLinesAroundArguments - ) - end - end - - [{}, - { - ensure: 'latest', - storeconfigs_enabled: true - }, - { - ensure: 'present', - storeconfigs_enabled: false - }].each do |param_set| - describe "when #{param_set == {} ? 'using default' : 'specifying'} class parameters" do - let :param_hash do - default_params.merge(param_set) end - let :params do - param_set + context 'with all defaults' do + it { is_expected.to compile.with_all_deps } end - - ['Debian'].each do |osfamily| - let :facts do + describe 'providing options' do + let :params do { - :os => { - 'family' => osfamily - }, - 'networking' => { - 'interfaces' => { - 'eth0' => { - 'ip' => '10.0.0.1' - }, - 'eth1' => { - 'ip' => '10.0.1.1' - }, - } + options: { + 'TestString' => '/usr/bin', + 'TestBoolean' => true } } end - describe "on supported osfamily: #{osfamily}" do - it { is_expected.to contain_class('ssh::params') } + context 'Debian sshd_config', if: %w[Debian].include?(os_facts[:os]['Family']) do it do - if param_hash[:ensure] == 'present' - is_expected.to contain_package('openssh-server').with_ensure('installed') - else - is_expected.to contain_package('openssh-server').with_ensure(param_hash[:ensure]) - end - end + is_expected.to contain_concat__fragment('global config').with( + target: '/etc/ssh/sshd_config', + content: '# File is managed by Puppet - it do - is_expected.to contain_service('ssh').with( - 'ensure' => 'running', - 'enable' => true, - 'hasrestart' => true, - 'hasstatus' => true + AcceptEnv LANG LC_* + ChallengeResponseAuthentication no + PrintMotd no + Subsystem sftp /usr/libexec/openssh/sftp-server + TestBoolean yes + TestString /usr/bin + UsePAM yes + X11Forwarding yes + ' + # rubocop:enable EmptyLinesAroundArguments ) end + end + end + [{}, + { + ensure: 'latest', + storeconfigs_enabled: true + }, + { + ensure: 'present', + storeconfigs_enabled: false + }].each do |param_set| + describe "when #{param_set == {} ? 'using default' : 'specifying'} class parameters" do + let :param_hash do + default_params.merge(param_set) + end - it { is_expected.to contain_concat('/etc/ssh/sshd_config') } - it do - is_expected.to contain_concat__fragment('global config').with( - target: '/etc/ssh/sshd_config', - content: '# File is managed by Puppet + let :params do + param_set + end + + ['Debian'].each do |osfamily| + describe "on supported osfamily: #{osfamily}", if: %w[Debian].include?(os_facts[:os]['Family']) do + it { is_expected.to contain_class('ssh::params') } + it do + if param_hash[:ensure] == 'present' + is_expected.to contain_package('openssh-server').with_ensure('installed') + else + is_expected.to contain_package('openssh-server').with_ensure(param_hash[:ensure]) + end + end + + it do + is_expected.to contain_service('ssh').with( + 'ensure' => 'running', + 'enable' => true, + 'hasrestart' => true, + 'hasstatus' => true + ) + end + + it { is_expected.to contain_concat('/etc/ssh/sshd_config') } + it do + is_expected.to contain_concat__fragment('global config').with( + target: '/etc/ssh/sshd_config', + content: '# File is managed by Puppet AcceptEnv LANG LC_* ChallengeResponseAuthentication no @@ -126,51 +95,33 @@ UsePAM yes X11Forwarding yes ' - ) - end - end - describe 'on Arch' do - let :facts do - { - :os => { - 'family' => 'Archlinux' - }, - 'networking' => { - 'interfaces' => { - 'eth0' => { - 'ip' => '10.0.0.1' - }, - 'eth1' => { - 'ip' => '10.0.1.1' - }, - } - } - } - end - - it { is_expected.to contain_class('ssh::params') } - it do - if param_hash[:ensure] == 'present' - is_expected.to contain_package('openssh').with_ensure('installed').with(name: 'openssh') - else - is_expected.to contain_package('openssh').with_ensure(param_hash[:ensure]).with(name: 'openssh') + ) + end end - end + describe 'on Arch', if: %w[Archlinux].include?(os_facts[:os]['Family']) do + it { is_expected.to contain_class('ssh::params') } + it do + if param_hash[:ensure] == 'present' + is_expected.to contain_package('openssh').with_ensure('installed').with(name: 'openssh') + else + is_expected.to contain_package('openssh').with_ensure(param_hash[:ensure]).with(name: 'openssh') + end + end - it do - is_expected.to contain_service('sshd.service').with( - 'ensure' => 'running', - 'enable' => true, - 'hasrestart' => true, - 'hasstatus' => true - ) - end + it do + is_expected.to contain_service('sshd.service').with( + 'ensure' => 'running', + 'enable' => true, + 'hasrestart' => true, + 'hasstatus' => true + ) + end - it { is_expected.to contain_concat('/etc/ssh/sshd_config') } - it do - is_expected.to contain_concat__fragment('global config').with( - target: '/etc/ssh/sshd_config', - content: '# File is managed by Puppet + it { is_expected.to contain_concat('/etc/ssh/sshd_config') } + it do + is_expected.to contain_concat__fragment('global config').with( + target: '/etc/ssh/sshd_config', + content: '# File is managed by Puppet AcceptEnv LANG LC_* ChallengeResponseAuthentication no @@ -179,7 +130,9 @@ UsePAM yes X11Forwarding yes ' - ) + ) + end + end end end end diff --git a/spec/defines/client/config/user_spec.rb b/spec/defines/client/config/user_spec.rb index e0f10345..97ec1d14 100644 --- a/spec/defines/client/config/user_spec.rb +++ b/spec/defines/client/config/user_spec.rb @@ -1,184 +1,159 @@ require 'spec_helper' -describe 'ssh::client::config::user', type: :define do - let :title do - 'riton' - end - - let :ssh_options do - { - 'HashKnownHosts' => 'yes', - 'Host *.in2p3.fr' => { - 'User' => 'riton', - 'GSSAPIAuthentication' => 'no' - } - } - end +describe 'ssh::client::config::user' do + on_supported_os.each do |os, os_facts| + let(:facts) { os_facts } - let :facts do - { - :os => { - 'family' => 'RedHat', - 'release' => { - 'major' => '6' - } - }, - 'networking' => { - 'interfaces' => { - 'eth0' => { - 'ip' => '10.0.0.1' - }, - 'eth1' => { - 'ip' => '10.0.1.1' - }, - } - } - } - end + context "on #{os}" do + let(:title) { 'riton' } - describe 'with invalid parameters' do - params = { - ensure: ['somestate', 'expects a match for Enum'], - target: ['./somedir', 'Pattern'], - user_home_dir: ['./somedir', 'Pattern'], - manage_user_ssh_dir: ['maybe', 'expects a Boolean'], - options: ['the_options', 'Hash value'] - } - - params.each do |param, value| - context "with invalid value for #{param}" do - let :params do - { - param => value[0] + let :ssh_options do + { + 'HashKnownHosts' => 'yes', + 'Host *.in2p3.fr' => { + 'User' => 'riton', + 'GSSAPIAuthentication' => 'no' } - end - - it { is_expected.not_to compile } + } end - end - end - # describe 'with invalid parameters' - describe 'with correct values' do - describe 'with a user provided target' do - let :target do - '/root/.ssh/config' + context 'with all defaults' do + it { is_expected.to compile.with_all_deps } end - let :params do - { - target: target + describe 'with invalid parameters' do + params = { + ensure: ['somestate', 'expects a match for Enum'], + target: ['./somedir', 'Pattern'], + user_home_dir: ['./somedir', 'Pattern'], + manage_user_ssh_dir: ['maybe', 'expects a Boolean'], + options: ['the_options', 'Hash value'] } - end - it do - is_expected.to contain_concat_file(target).with( - ensure: 'present', - tag: title - ) - is_expected.to contain_concat_fragment(title).with( - tag: title, - target: target - ) - end - end - # describe 'with a user provided target' + params.each do |param, value| + context "with invalid value for #{param}" do + let :params do + { + param => value[0] + } + end - describe 'user_home_dir behavior' do - context 'with a user provided user_home_dir' do - let :user_home_dir do - '/path/to/home' + it { is_expected.not_to compile } + end end + end + # describe 'with invalid parameters' + + describe 'with correct values' do + describe 'with a user provided target' do + let(:target) { '/root/.ssh/config' } - context 'with manage_user_ssh_dir default value' do let :params do { - user_home_dir: user_home_dir + target: target } end - it 'contains ssh directory and ssh config' do - is_expected.to contain_file("#{user_home_dir}/.ssh").with( - ensure: 'directory', - owner: title, - mode: '0700' - ).that_comes_before("Concat_file[#{user_home_dir}/.ssh/config]") - - is_expected.to contain_concat_file("#{user_home_dir}/.ssh/config").with( - ensure: 'present', - owner: title, - mode: '0600' - ) - end + it { + is_expected.to contain_concat_file(target).with(ensure: 'present', tag: title) + is_expected.to contain_concat_fragment(title).with(tag: title, target: target) + } end - # context 'with manage_user_ssh_dir default value' - - context 'with manage_user_ssh_dir set to false' do - let :params do - { - user_home_dir: user_home_dir, - manage_user_ssh_dir: false - } + # describe 'with a user provided target' + + describe 'user_home_dir behavior' do + context 'with a user provided user_home_dir' do + let(:user_home_dir) { '/path/to/home' } + + context 'with manage_user_ssh_dir default value' do + let :params do + { + user_home_dir: user_home_dir + } + end + + it 'contains ssh directory and ssh config' do + is_expected.to contain_file("#{user_home_dir}/.ssh").with( + ensure: 'directory', + owner: title, + mode: '0700' + ).that_comes_before("Concat_file[#{user_home_dir}/.ssh/config]") + + is_expected.to contain_concat_file("#{user_home_dir}/.ssh/config").with( + ensure: 'present', + owner: title, + mode: '0600' + ) + end + end + # context 'with manage_user_ssh_dir default value' + + context 'with manage_user_ssh_dir set to false' do + let :params do + { + user_home_dir: user_home_dir, + manage_user_ssh_dir: false + } + end + + it do + is_expected.not_to contain_file("#{user_home_dir}/.ssh") + end + end + # context 'with manage_user_ssh_dir set to false' end - - it do - is_expected.not_to contain_file("#{user_home_dir}/.ssh") + # context 'with a user provided user_home_dir' + + context 'with no user provided user_home_dir' do + it 'with manage_user_ssh_dir default value' do + is_expected.to contain_file("/home/#{title}/.ssh").that_comes_before("Concat_file[/home/#{title}/.ssh/config]") + is_expected.to contain_concat_file("/home/#{title}/.ssh/config") + end + + context 'with manage_user_ssh_dir set to false' do + let :params do + { + manage_user_ssh_dir: false + } + end + + it do + is_expected.not_to contain_file("/home/#{title}/.ssh") + end + + it do + is_expected.to contain_concat_file("/home/#{title}/.ssh/config") + end + end + # context 'with manage_user_ssh_dir set to false' end + # context 'with no user provided user_home_dir' end - # context 'with manage_user_ssh_dir set to false' - end - # context 'with a user provided user_home_dir' - - context 'with no user provided user_home_dir' do - it 'with manage_user_ssh_dir default value' do - is_expected.to contain_file("/home/#{title}/.ssh").that_comes_before("Concat_file[/home/#{title}/.ssh/config]") - is_expected.to contain_concat_file("/home/#{title}/.ssh/config") - end + # describe 'user_home_dir behavior' - context 'with manage_user_ssh_dir set to false' do + describe 'ssh configuration content' do let :params do { - manage_user_ssh_dir: false + options: ssh_options } end - it do - is_expected.not_to contain_file("/home/#{title}/.ssh") + it 'has single value' do + is_expected.to contain_concat_fragment(title).with( + content: %r{HashKnownHosts\s+yes}, + target: "/home/#{title}/.ssh/config" + ) end - it do - is_expected.to contain_concat_file("/home/#{title}/.ssh/config") + it 'has Hash value' do + is_expected.to contain_concat_fragment(title).with( + content: %r{Host \*\.in2p3\.fr\s*\n\s+GSSAPIAuthentication\s+no\s*\n\s+User\s+riton}, + target: "/home/#{title}/.ssh/config" + ) end end - # context 'with manage_user_ssh_dir set to false' - end - # context 'with no user provided user_home_dir' - end - # describe 'user_home_dir behavior' - - describe 'ssh configuration content' do - let :params do - { - options: ssh_options - } - end - - it 'has single value' do - is_expected.to contain_concat_fragment(title).with( - content: %r{HashKnownHosts\s+yes}, - target: "/home/#{title}/.ssh/config" - ) - end - - it 'has Hash value' do - is_expected.to contain_concat_fragment(title).with( - content: %r{Host \*\.in2p3\.fr\s*\n\s+GSSAPIAuthentication\s+no\s*\n\s+User\s+riton}, - target: "/home/#{title}/.ssh/config" - ) end end end - # describe 'with correct values' end - # vim: tabstop=2 shiftwidth=2 softtabstop=2 diff --git a/spec/defines/server/config/setting_spec.rb b/spec/defines/server/config/setting_spec.rb index cc4ebf8f..1e1ccc18 100644 --- a/spec/defines/server/config/setting_spec.rb +++ b/spec/defines/server/config/setting_spec.rb @@ -1,84 +1,61 @@ require 'spec_helper' -describe 'ssh::server::config::setting', type: :define do - let :title do - 'something' - end - - let :facts do - { - :os => { - 'family' => 'RedHat', - 'release' => { - 'major' => '6' - }, - }, - 'networking' => { - 'interfaces' => { - 'eth0' => { - 'ip' => '10.0.0.1' - }, - 'eth1' => { - 'ip' => '10.0.1.1' - }, - } - } - } - end - - describe 'with key => "AllowGroups", value => "group1 group2"' do - let :params do - { - key: 'AllowGroups', - value: 'group1 group2' - } - end - - it do - is_expected.to contain_concat__fragment('ssh_setting_something_AllowGroups').with_content(%r{\nAllowGroups group1 group2\n}) - end - end - - describe 'with key => "Somesetting", value => true' do - let :params do - { - key: 'Somesetting', - value: true - } - end - - it do - is_expected.to contain_concat__fragment('ssh_setting_something_Somesetting').with_content(%r{\nSomesetting yes\n}) - end - end - - describe 'with key => "Foo", value => [1, 2]' do - let :params do - { - key: 'Foo', - value: [1, 2] - } - end - - it do - is_expected.to contain_concat__fragment('ssh_setting_something_Foo').with_content(%r{\nFoo 1 2\n}) - end - end - - describe 'with key => "Bar", value => {"a" => "b"}' do - let :params do - { - key: 'Bar', - value: { - 'a' => 'b' - } - } - end - - it 'fails' do - expect do - is_expected.to compile - end.to raise_error(%r{Hash values are not supported}) +describe 'ssh::server::config::setting' do + on_supported_os.each do |os, os_facts| + let(:facts) { os_facts } + + context "on #{os}" do + let(:title) { 'something' } + + context 'with all defaults' do + it { is_expected.not_to compile } + end + describe 'with key => "AllowGroups", value => "group1 group2"' do + let :params do + { + key: 'AllowGroups', + value: 'group1 group2' + } + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat__fragment('ssh_setting_something_AllowGroups').with_content(%r{\nAllowGroups group1 group2\n}) } + end + + describe 'with key => "Somesetting", value => true' do + let :params do + { + key: 'Somesetting', + value: true + } + end + + it { is_expected.to contain_concat__fragment('ssh_setting_something_Somesetting').with_content(%r{\nSomesetting yes\n}) } + end + + describe 'with key => "Foo", value => [1, 2]' do + let :params do + { + key: 'Foo', + value: [1, 2] + } + end + + it { is_expected.to contain_concat__fragment('ssh_setting_something_Foo').with_content(%r{\nFoo 1 2\n}) } + end + + describe 'with key => "Bar", value => {"a" => "b"}' do + let :params do + { + key: 'Bar', + value: { + 'a' => 'b' + } + } + end + + it { is_expected.to compile.and_raise_error(%r{Hash values are not supported}) } + end end end end diff --git a/spec/defines/server/host_key_spec.rb b/spec/defines/server/host_key_spec.rb index 3be4d312..4613c480 100644 --- a/spec/defines/server/host_key_spec.rb +++ b/spec/defines/server/host_key_spec.rb @@ -1,180 +1,149 @@ require 'spec_helper' describe 'ssh::server::host_key', type: :define do - let :title do - 'something' - end - - let(:pre_condition) { 'class {"::ssh::params": }' } - - let :facts do - { - :os => { - 'family' => 'RedHat', - 'release' => { - 'major' => '6' - }, - }, - 'networking' => { - 'interfaces' => { - 'eth0' => { - 'ip' => '10.0.0.1' - }, - 'eth1' => { - 'ip' => '10.0.1.1' - }, + on_supported_os.each do |os, os_facts| + let(:facts) { os_facts } + + context "on #{os}" do + let(:title) { 'something' } + let(:pre_condition) { 'include ssh' } + + context 'with all defaults' do + it { is_expected.to compile.and_raise_error(%r{You must provide either public_key_source or public_key_content parameter}) } + end + describe 'with public_key_content, private_key_content and certificate_content' do + let :params do + { + public_key_content: 'abc', + private_key_content: 'bcd', + certificate_content: 'cde' + } + end + + it { is_expected.to compile.with_all_deps } + it { + is_expected.to contain_file('something_pub'). + with_content('abc'). + with_ensure('present'). + with_owner(0). + with_group(0). + with_mode('0644'). + with_path('/etc/ssh/something.pub') + is_expected.to contain_file('something_priv'). + with_content('bcd'). + with_ensure('present'). + with_owner(0). + with_group(0). + with_mode('0600'). + with_path('/etc/ssh/something') + is_expected.to contain_file('something_cert'). + with_content('cde'). + with_ensure('present'). + with_owner(0). + with_group(0). + with_mode('0644'). + with_path('/etc/ssh/something-cert.pub') } - } - } - end - - describe 'with public_key_content, private_key_content and certificate_content' do - let :params do - { - public_key_content: 'abc', - private_key_content: 'bcd', - certificate_content: 'cde' - } - end - - it do - is_expected.to contain_file('something_pub'). - with_content('abc'). - with_ensure('present'). - with_owner(0). - with_group(0). - with_mode('0644'). - with_path('/etc/ssh/something.pub') - is_expected.to contain_file('something_priv'). - with_content('bcd'). - with_ensure('present'). - with_owner(0). - with_group(0). - with_mode('0600'). - with_path('/etc/ssh/something') - is_expected.to contain_file('something_cert'). - with_content('cde'). - with_ensure('present'). - with_owner(0). - with_group(0). - with_mode('0644'). - with_path('/etc/ssh/something-cert.pub') - end - end - - describe 'with public_key_content and private_key_content' do - let :params do - { - public_key_content: 'abc', - private_key_content: 'bcd' - } - end - - it do - is_expected.to contain_file('something_pub'). - with_content('abc'). - with_ensure('present'). - with_owner(0). - with_group(0). - with_mode('0644'). - with_path('/etc/ssh/something.pub') - is_expected.to contain_file('something_priv'). - with_content('bcd'). - with_ensure('present'). - with_owner(0). - with_group(0). - with_mode('0600'). - with_path('/etc/ssh/something') - is_expected.not_to contain_file('something_cert') - end - end - - describe 'with *_key_content and *_key_source, *_key_source takes precedence' do - let :params do - { - public_key_content: 'abc', - public_key_source: 'a', - private_key_content: 'bcd', - private_key_source: 'b' - } - end - - it do - is_expected.to contain_file('something_pub'). - without_content. - with_source('a'). - with_ensure('present'). - with_owner(0). - with_group(0). - with_mode('0644'). - with_path('/etc/ssh/something.pub') - is_expected.to contain_file('something_priv'). - without_content. - with_source('b'). - with_ensure('present'). - with_owner(0). - with_group(0). - with_mode('0600'). - with_path('/etc/ssh/something') - is_expected.not_to contain_file('something_cert') - end - end - - describe 'with private_key_content and no public_key_content' do - let :params do - { - private_key_content: 'bcd' - } - end - - it 'fails' do - expect do - is_expected.to compile - end.to raise_error(%r{You must provide either public_key_source or public_key_content parameter}) - end - end - - describe 'with public_key_content and no private_key_content' do - let :params do - { - public_key_content: 'abc' - } - end - - it 'fails' do - expect do - is_expected.to compile - end.to raise_error(%r{You must provide either private_key_source or private_key_content parameter}) - end - end - - describe 'with private_key_source and no public_key_source' do - let :params do - { - private_key_source: 'bcd' - } - end - - it 'fails' do - expect do - is_expected.to compile - end.to raise_error(%r{You must provide either public_key_source or public_key_content parameter}) - end - end - - describe 'with public_key_source and no private_key_source' do - let :params do - { - public_key_source: 'abc' - } - end - - it 'fails' do - expect do - is_expected.to compile - end.to raise_error(%r{You must provide either private_key_source or private_key_content parameter}) + end + + describe 'with public_key_content and private_key_content' do + let :params do + { + public_key_content: 'abc', + private_key_content: 'bcd' + } + end + + it { + is_expected.to contain_file('something_pub'). + with_content('abc'). + with_ensure('present'). + with_owner(0). + with_group(0). + with_mode('0644'). + with_path('/etc/ssh/something.pub') + is_expected.to contain_file('something_priv'). + with_content('bcd'). + with_ensure('present'). + with_owner(0). + with_group(0). + with_mode('0600'). + with_path('/etc/ssh/something') + is_expected.not_to contain_file('something_cert') + } + end + + describe 'with *_key_content and *_key_source, *_key_source takes precedence' do + let :params do + { + public_key_content: 'abc', + public_key_source: 'a', + private_key_content: 'bcd', + private_key_source: 'b' + } + end + + it { + is_expected.to contain_file('something_pub'). + without_content. + with_source('a'). + with_ensure('present'). + with_owner(0). + with_group(0). + with_mode('0644'). + with_path('/etc/ssh/something.pub') + is_expected.to contain_file('something_priv'). + without_content. + with_source('b'). + with_ensure('present'). + with_owner(0). + with_group(0). + with_mode('0600'). + with_path('/etc/ssh/something') + is_expected.not_to contain_file('something_cert') + } + end + + describe 'with private_key_content and no public_key_content' do + let :params do + { + private_key_content: 'bcd' + } + end + + it { is_expected.to compile.and_raise_error(%r{You must provide either public_key_source or public_key_content parameter}) } + end + + describe 'with public_key_content and no private_key_content' do + let :params do + { + public_key_content: 'abc' + } + end + + it { is_expected.to compile.and_raise_error(%r{You must provide either private_key_source or private_key_content parameter}) } + end + + describe 'with private_key_source and no public_key_source' do + let :params do + { + private_key_source: 'bcd' + } + end + + it { is_expected.to compile.and_raise_error(%r{You must provide either public_key_source or public_key_content parameter}) } + end + + describe 'with public_key_source and no private_key_source' do + let :params do + { + public_key_source: 'abc' + } + end + + it { is_expected.to compile.and_raise_error(%r{You must provide either private_key_source or private_key_content parameter}) } + end end end end - # vim: tabstop=2 shiftwidth=2 softtabstop=2 From 9933778e9c5fcafff208956c14bdab13f87fb977 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Wed, 16 Mar 2022 22:39:41 +0100 Subject: [PATCH 153/246] metadata.json: Use https URL to git repo using plaintext git URLs isn't supported by GitHub anymore. People might parse the metadata.json to get the git URL which will then fail. --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 4c523b6b..ccf9d45a 100644 --- a/metadata.json +++ b/metadata.json @@ -5,7 +5,7 @@ "summary": "Manage SSH client and server via Puppet.", "description": "Manage SSH client and server via puppet", "license": "Apache-2.0", - "source": "git://github.com/saz/puppet-ssh.git", + "source": "https://github.com/saz/puppet-ssh.git", "project_page": "https://github.com/saz/puppet-ssh", "dependencies": [ { From f8409355d61dedfe24d927bf640b87fa773db2b1 Mon Sep 17 00:00:00 2001 From: Simon Hoenscheid Date: Fri, 18 Mar 2022 15:31:55 +0100 Subject: [PATCH 154/246] add basic acceptence tests --- .github/workflows/ci.yml | 32 ++++++++++++++++++++++++++++++++ spec/acceptance/init_spec.rb | 24 ++++++++++++++++++++++++ spec/spec_helper_acceptance.rb | 5 +++++ 3 files changed, 61 insertions(+) create mode 100644 spec/acceptance/init_spec.rb create mode 100644 spec/spec_helper_acceptance.rb diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 086a667a..9db67001 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -54,3 +54,35 @@ jobs: bundler-cache: true - name: Run tests run: bundle exec rake parallel_spec + + acceptance: + needs: setup_matrix + runs-on: ubuntu-latest + env: + BUNDLE_WITHOUT: development:test:release + strategy: + fail-fast: false + matrix: + include: ${{fromJson(needs.setup_matrix.outputs.github_action_test_matrix)}} + name: ${{ matrix.puppet.name }} - ${{ matrix.setfile.name }} + steps: + - uses: actions/checkout@v2 + - name: Setup ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: '3.0' + bundler-cache: true + - name: Run tests + run: bundle exec rake beaker + env: + BEAKER_PUPPET_COLLECTION: ${{ matrix.puppet.collection }} + BEAKER_setfile: ${{ matrix.setfile.value }} + + tests: + needs: + - unit + - acceptance + runs-on: ubuntu-latest + name: Test suite + steps: + - run: echo Test suite completed diff --git a/spec/acceptance/init_spec.rb b/spec/acceptance/init_spec.rb new file mode 100644 index 00000000..5ab3f173 --- /dev/null +++ b/spec/acceptance/init_spec.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' + +describe 'ssh' do + context 'with defaults' do + it_behaves_like 'an idempotent resource' do + let(:manifest) do + 'include ssh' + end + + describe package('openssh-server') do + it { is_expected.to be_installed } + end + describe port(22) do + it { is_expected.to be_listening } + end + describe service('sshd') do + it { is_expected.to be_enabled } + it { is_expected.to be_running } + end + end + end +end diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb new file mode 100644 index 00000000..52e2f890 --- /dev/null +++ b/spec/spec_helper_acceptance.rb @@ -0,0 +1,5 @@ +require 'voxpupuli/acceptance/spec_helper_acceptance' + +configure_beaker + +Dir['./spec/support/acceptance/**/*.rb'].sort.each { |f| require f } From 0513f08eda27aeb3878185313cfd5212878a83db Mon Sep 17 00:00:00 2001 From: Simon Hoenscheid Date: Mon, 21 Feb 2022 09:51:38 +0100 Subject: [PATCH 155/246] add ssh instances on all systems supporting systemd --- .fixtures.yml | 1 + manifests/init.pp | 88 +++++++++++++--- manifests/params.pp | 16 +++ manifests/server/instances.pp | 65 ++++++++++++ manifests/server/match_block.pp | 4 +- metadata.json | 4 + spec/classes/init_spec.rb | 35 +++++++ spec/defines/server/instances_spec.rb | 133 ++++++++++++++++++++++++ spec/defines/server/match_block_spec.rb | 57 ++++++++++ templates/ssh_instance.erb | 63 +++++++++++ templates/ssh_instance_service.erb | 23 ++++ 11 files changed, 474 insertions(+), 15 deletions(-) create mode 100644 manifests/server/instances.pp create mode 100644 spec/defines/server/instances_spec.rb create mode 100644 spec/defines/server/match_block_spec.rb create mode 100644 templates/ssh_instance.erb create mode 100644 templates/ssh_instance_service.erb diff --git a/.fixtures.yml b/.fixtures.yml index 70675ce3..af1fa799 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -2,6 +2,7 @@ fixtures: repositories: stdlib: "https://github.com/puppetlabs/puppetlabs-stdlib" concat: "https://github.com/puppetlabs/puppetlabs-concat" + systemd: "https://github.com/voxpupuli/puppet-systemd" sshkeys_core: repo: "https://github.com/puppetlabs/puppetlabs-sshkeys_core" puppet_version: ">= 6.0.0" diff --git a/manifests/init.pp b/manifests/init.pp index ffeb1a73..19accd58 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -28,7 +28,34 @@ # }, # }, # }, -# } +# 'server_instances' => { +# 'sftp_server_init' => { +# 'ensure' => 'present', +# 'options' => { +# 'sshd_config' => { +# 'Port' => 8022, +# 'Protocol' => 2, +# 'AddressFamily' => 'any', +# 'HostKey' => '/etc/ssh/ssh_host_rsa_key', +# 'SyslogFacility' => 'AUTH', +# 'LogLevel' => 'INFO', +# 'PermitRootLogin' => 'no', +# }, +# 'sshd_service_options' => '', +# 'match_blocks' => { +# '*,!ssh_exempt_ldap_authkey,!sshlokey' => { +# 'type' => 'group', +# 'options' => { +# 'AuthorizedKeysCommand' => '/usr/local/bin/getauthkey', +# 'AuthorizedKeysCommandUser' => 'nobody', +# 'AuthorizedKeysFile' => '/dev/null', +# }, +# }, +# }, +# }, +# }, +# }, +# } # # @example hiera usage # ssh::storeconfigs_enabled: true @@ -62,7 +89,30 @@ # 'Host *.alice.fr': # 'User': 'alice' # 'PasswordAuthentication': 'no' -# +# ssh::server::server_instances: +# sftp_server_init: +# ensure: present +# options: +# sshd_config: +# Port: 8022 +# Protocol: 2 +# AddressFamily: 'any' +# HostKey: '/etc/ssh/ssh_host_rsa_key' +# SyslogFacility: 'AUTH' +# LogLevel: INFO +# PermitRootLogin: 'no' +# sshd_service_options: '' +# match_blocks: +# '*,!ssh_exempt_ldap_authkey,!sshlokey': +# type: group +# options: +# AuthorizedKeysCommand: '/usr/local/bin/getauthkey' +# AuthorizedKeysCommandUser: 'nobody' +# AuthorizedKeysFile: '/dev/null' +# +# +# @server_instances +# Configure SSH instances # # @param server_options # Add dynamic options for ssh server config @@ -98,18 +148,22 @@ # Use issue_net header # class ssh ( - Hash $server_options = {}, - Hash $server_match_block = {}, - Hash $client_options = {}, - Hash $users_client_options = {}, - String $version = 'present', - Boolean $storeconfigs_enabled = true, - Boolean $validate_sshd_file = $ssh::params::validate_sshd_file, - Boolean $use_augeas = false, - Array $server_options_absent = [], - Array $client_options_absent = [], - Boolean $use_issue_net = false, - Boolean $purge_unmanaged_sshkeys = true, + Hash[String[1],Hash[String[1],NotUndef]] $server_instances = {}, + Hash $server_options = {}, + Hash $server_match_block = {}, + Hash $client_options = {}, + Hash $users_client_options = {}, + String $version = 'present', + Boolean $storeconfigs_enabled = true, + Boolean $validate_sshd_file = $ssh::params::validate_sshd_file, + Boolean $use_augeas = false, + Array $server_options_absent = [], + Array $client_options_absent = [], + Boolean $use_issue_net = false, + Boolean $purge_unmanaged_sshkeys = true, + Stdlib::Absolutepath $sshd_dir = $ssh::params::sshd_dir, + Stdlib::Absolutepath $sshd_binary = $ssh::params::sshd_binary, + Optional[Stdlib::Absolutepath] $sshd_environments_file = $ssh::params::sshd_environments_file, ) inherits ssh::params { # Merge hashes from multiple layer of hierarchy in hiera $hiera_server_options = lookup("${module_name}::server_options", Optional[Hash], 'deep', {}) @@ -140,6 +194,12 @@ options_absent => $client_options_absent, } + $server_instances.each | String $instance_name, Hash $instance_settings | { + ssh::server::instances { $instance_name: + * => $instance_settings, + } + } + # If host keys are being managed, optionally purge unmanaged ones as well. if ($storeconfigs_enabled and $purge_unmanaged_sshkeys) { resources { 'sshkey': diff --git a/manifests/params.pp b/manifests/params.pp index 53768128..325de7ec 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -9,7 +9,9 @@ $server_package_name = 'openssh-server' $client_package_name = 'openssh-client' $sshd_dir = '/etc/ssh' + $sshd_binary = '/usr/sbin/sshd' $sshd_config = '/etc/ssh/sshd_config' + $sshd_environments_file = '/etc/default/ssh' $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'ssh' @@ -20,7 +22,9 @@ $server_package_name = 'openssh-server' $client_package_name = 'openssh-clients' $sshd_dir = '/etc/ssh' + $sshd_binary = '/usr/sbin/sshd' $sshd_config = '/etc/ssh/sshd_config' + $sshd_environments_file = '/etc/sysconfig/sshd' $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd' @@ -35,8 +39,10 @@ $server_package_name = undef $client_package_name = undef $sshd_dir = '/etc/ssh' + $sshd_binary = '/usr/local/sbin/sshd' $sshd_config = '/etc/ssh/sshd_config' $ssh_config = '/etc/ssh/ssh_config' + $sshd_environments_file = undef $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd' $sftp_server_path = '/usr/libexec/sftp-server' @@ -68,7 +74,9 @@ $server_package_name = 'openssh' $client_package_name = 'openssh' $sshd_dir = '/etc/ssh' + $sshd_binary = '/usr/bin/sshd' $sshd_config = '/etc/ssh/sshd_config' + $sshd_environments_file = undef $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $service_name = 'sshd.service' @@ -79,7 +87,9 @@ $server_package_name = 'openssh' $client_package_name = 'openssh' $sshd_dir = '/etc/ssh' + $sshd_binary = '/usr/sbin/sshd' $sshd_config = '/etc/ssh/sshd_config' + $sshd_environments_file = '/etc/sysconfig/ssh' $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' $host_priv_key_group = 0 @@ -109,6 +119,8 @@ } } 'Solaris': { + $sshd_binary = '/usr/sbin/sshd' + $sshd_environments_file = undef case $facts['os']['name'] { 'SmartOS': { $server_package_name = undef @@ -154,6 +166,8 @@ $server_package_name = 'openssh' $client_package_name = 'openssh' $sshd_dir = '/etc/ssh' + $sshd_binary = '/usr/sbin/sshd' + $sshd_environments_file = undef $sshd_config = '/etc/ssh/sshd_config' $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' @@ -165,6 +179,8 @@ $server_package_name = 'openssh-server' $client_package_name = 'openssh-clients' $sshd_dir = '/etc/ssh' + $sshd_binary = '/usr/sbin/sshd' + $sshd_environments_file = '/etc/sysconfig/sshd' $sshd_config = '/etc/ssh/sshd_config' $ssh_config = '/etc/ssh/ssh_config' $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' diff --git a/manifests/server/instances.pp b/manifests/server/instances.pp new file mode 100644 index 00000000..f68a91ab --- /dev/null +++ b/manifests/server/instances.pp @@ -0,0 +1,65 @@ +# @summary A short summary of the purpose of this defined type. +# +# A description of what this defined type does +# +# @options +# Structure see main class +# +# ssh::instances { 'namevar': } +define ssh::server::instances ( + String $ensure = present, + Hash $options = {}, + String $service_ensure = 'running', + Boolean $service_enable = true, + Boolean $validate_config_file = false, + Stdlib::Absolutepath $sshd_instance_config_file = "${ssh::sshd_dir}/sshd_config.${title}", + Stdlib::Absolutepath $sshd_binary = $ssh::sshd_binary, + Optional[Stdlib::Absolutepath] $sshd_environments_file = $ssh::sshd_environments_file, +) { + include ssh + + $sshd_instance_config = assert_type(Hash, pick($options['sshd_config'], {})) + $sshd_instance_matchblocks = assert_type(Hash, pick($options['match_blocks'], {})) + $sshd_service_options = $options['sshd_service_options'] + #check if server is a linux + if $facts['kernel'] == 'Linux' { + case $validate_config_file { + true: { + $validate_cmd = '/usr/sbin/sshd -tf %' + } + default: { + $validate_cmd = undef + } + } + + concat { $sshd_instance_config_file: + ensure => $ensure, + owner => 0, + group => 0, + mode => '0600', + validate_cmd => $validate_cmd, + notify => Service["${title}.service"], + } + + concat::fragment { "sshd instance ${title} config": + target => $sshd_instance_config_file, + content => template("${module_name}/ssh_instance.erb"), + order => '00', + } + + $sshd_instance_matchblocks.each |String $matchblock_name, Hash $matchblock_options| { + ssh::server::match_block { $matchblock_name: + * => $matchblock_options, + target => $sshd_instance_config_file, + } + } + + systemd::unit_file { "${title}.service": + content => template("${module_name}/ssh_instance_service.erb"), + active => true, + enable => true, + } + } else { + fail ("Operating System ${facts['os']['name']} not supported, because Systemd is not available") + } +} diff --git a/manifests/server/match_block.pp b/manifests/server/match_block.pp index 2ba34f57..2ee1ad55 100644 --- a/manifests/server/match_block.pp +++ b/manifests/server/match_block.pp @@ -7,12 +7,14 @@ Hash $options = {}, String $type = 'user', Integer $order = 50, + Stdlib::Absolutepath $target = $ssh::sshd_config, ) { + include ssh if $ssh::server::use_augeas { fail('ssh::server::match_block() define not supported with use_augeas = true') } else { concat::fragment { "match_block ${name}": - target => $ssh::params::sshd_config, + target => $target, content => template("${module_name}/sshd_match_block.erb"), order => 200+$order, } diff --git a/metadata.json b/metadata.json index 4090fb8a..23870161 100644 --- a/metadata.json +++ b/metadata.json @@ -14,6 +14,10 @@ { "name": "puppetlabs/concat", "version_requirement": ">= 2.2.0 < 8.0.0" + }, + { + "name": "puppet/systemd", + "version_requirement": ">= 3.7.0 < 4.0.0" } ], "operatingsystem_support": [ diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 9f9cb1e2..e4734645 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -5,6 +5,41 @@ let(:facts) { os_facts } context "on #{os}" do + context 'Server with a seperate sftp_server_init instance on Port 8022' do + let :params do + { + 'server_instances' => { + 'sftp_server_init' => { + 'ensure' => 'present', + 'options' => { + 'sshd_config' => { + 'Port' => 8022, + 'Protocol' => 2, + 'AddressFamily' => 'any', + 'HostKey' => '/etc/ssh/ssh_host_rsa_key', + 'SyslogFacility' => 'AUTH', + 'LogLevel' => 'INFO', + 'PermitRootLogin' => 'no', + }, + 'sshd_service_options' => '', + 'match_blocks' => {}, + }, + }, + }, + } + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat('/etc/ssh/sshd_config.sftp_server_init') } + it { is_expected.to contain_concat__fragment('sshd instance sftp_server_init config') } + it { is_expected.to contain_systemd__unit_file('sftp_server_init.service') } + it { is_expected.to contain_service('sftp_server_init.service') } + it { is_expected.to contain_ssh__server__instances('sftp_server_init') } + it { is_expected.to contain_class('ssh::client') } + it { is_expected.to contain_class('ssh::server') } + it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd(nil) } + it { is_expected.to contain_resources('sshkey').with_purge(true) } + end context 'with all defaults' do it { is_expected.to compile.with_all_deps } end diff --git a/spec/defines/server/instances_spec.rb b/spec/defines/server/instances_spec.rb new file mode 100644 index 00000000..1882f8b3 --- /dev/null +++ b/spec/defines/server/instances_spec.rb @@ -0,0 +1,133 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'ssh::server::instances' do + context 'with sftp_server present' do + let(:title) { 'sftp_server' } + let :pre_condition do + 'include ssh' + end + let(:params) do + { + 'ensure' => 'present', + 'options' => { + 'sshd_config' => { + 'Port' => 8022, + 'Protocol' => 2, + 'AddressFamily' => 'any', + 'HostKey' => '/etc/ssh/ssh_host_rsa_key', + 'SyslogFacility' => 'AUTH', + 'LogLevel' => 'INFO', + 'LoginGraceTime' => 120, + 'PermitRootLogin' => 'no', + 'StrictModes' => 'yes', + 'PubkeyAuthentication' => 'yes', + 'HostbasedAuthentication' => 'no', + 'IgnoreUserKnownHosts' => 'no', + 'IgnoreRhosts' => 'yes', + 'PasswordAuthentication' => 'yes', + 'ChallengeResponseAuthentication' => 'no', + 'GSSAPIAuthentication' => 'no', + 'GSSAPIKeyExchange' => 'no', + 'GSSAPICleanupCredentials' => 'yes', + 'UsePAM' => 'yes', + 'AcceptEnv' => %w[LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL], + 'AllowTcpForwarding' => 'no', + 'X11Forwarding' => 'no', + 'X11UseLocalhost' => 'yes', + 'PrintMotd' => 'yes', + 'TCPKeepAlive' => 'yes', + 'ClientAliveInterval' => 0, + 'ClientAliveCountMax' => 0, + 'UseDNS' => 'no', + 'PermitTunnel' => 'no', + 'Banner' => '/etc/ssh/sshd_banner.txt', + 'XAuthLocation' => '/usr/bin/xauth', + 'Subsystem' => 'sftp /usr/libexec/openssh/sftp-server', + 'Ciphers' => %w[aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc], + 'AllowGroups' => 'root lclssh ssh_all_systems VmAdmins', + }, + 'sshd_service_options' => '', + 'match_blocks' => { + '*,!ssh_exempt_ldap_authkey,!sshlokey' => { + 'type' => 'group', + 'options' => { + 'AuthorizedKeysCommand' => '/usr/local/bin/getauthkey', + 'AuthorizedKeysCommandUser' => 'nobody', + 'AuthorizedKeysFile' => '/dev/null', + }, + }, + 'ssh_deny_pw_auth,sshdnypw' => { + 'type' => 'group', + 'options' => { + 'KbdInteractiveAuthentication' => 'no', + 'PasswordAuthentication' => 'no', + }, + }, + }, + }, + 'service_ensure' => 'running', + 'service_enable' => true, + 'validate_config_file' => true, + } + end + + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } + + if os_facts[:kernel] != 'Linux' + it { is_expected.to compile.and_raise_error(%r{not supported, because Systemd is not available}) } + else + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat('/etc/ssh/sshd_config.sftp_server') } + it { is_expected.to contain_concat__fragment('sshd instance sftp_server config') } + it { is_expected.to contain_ssh__server__match_block('ssh_deny_pw_auth,sshdnypw') } + it { is_expected.to contain_ssh__server__match_block('*,!ssh_exempt_ldap_authkey,!sshlokey') } + it { is_expected.to contain_systemd__unit_file('sftp_server.service') } + it { is_expected.to contain_service('sftp_server.service') } + end + end + end + end + context 'minimal setup' do + let(:title) { 'sftp_server' } + let :pre_condition do + 'include ssh' + end + let(:params) do + { + 'ensure' => 'present', + 'options' => { + 'sshd_config' => { + 'Port' => 8022, + 'Protocol' => 2, + 'AddressFamily' => 'any', + 'HostKey' => '/etc/ssh/ssh_host_rsa_key', + 'SyslogFacility' => 'AUTH', + 'LogLevel' => 'INFO', + 'PermitRootLogin' => 'no', + }, + 'sshd_service_options' => '', + 'match_blocks' => {}, + }, + } + end + + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } + + if os_facts[:kernel] != 'Linux' + it { is_expected.to compile.and_raise_error(%r{not supported, because Systemd is not available}) } + else + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat__fragment('sshd instance sftp_server config') } + it { is_expected.to contain_systemd__unit_file('sftp_server.service') } + it { is_expected.to contain_service('sftp_server.service') } + end + end + end + end +end diff --git a/spec/defines/server/match_block_spec.rb b/spec/defines/server/match_block_spec.rb new file mode 100644 index 00000000..0a258b27 --- /dev/null +++ b/spec/defines/server/match_block_spec.rb @@ -0,0 +1,57 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'ssh::server::match_block' do + context 'with *,!ssh_exempt_ldap_authkey,!sshlokey present' do + let(:title) { '*,!ssh_exempt_ldap_authkey,!sshlokey' } + let :pre_condition do + 'include ssh' + end + let(:params) do + { + 'type' => 'group', + 'options' => { + 'AuthorizedKeysCommand' => '/usr/local/bin/getauthkey', + 'AuthorizedKeysCommandUser' => 'nobody', + 'AuthorizedKeysFile' => '/dev/null', + }, + 'target' => '/etc/ssh/sshd_config_sftp_server', + } + end + + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat__fragment('match_block *,!ssh_exempt_ldap_authkey,!sshlokey') } + end + end + end + context 'with ssh_deny_pw_auth,sshdnypw' do + let(:title) { 'ssh_deny_pw_auth,sshdnypw' } + let :pre_condition do + 'include ssh' + end + let(:params) do + { + 'type' => 'group', + 'options' => { + 'KbdInteractiveAuthentication' => 'no', + 'PasswordAuthentication' => 'no', + }, + 'target' => '/etc/ssh/sshd_config_sftp_server', + } + end + + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat__fragment('match_block ssh_deny_pw_auth,sshdnypw') } + end + end + end +end diff --git a/templates/ssh_instance.erb b/templates/ssh_instance.erb new file mode 100644 index 00000000..66ae52ac --- /dev/null +++ b/templates/ssh_instance.erb @@ -0,0 +1,63 @@ +# File is managed by Puppet +<%- + def bool2str(v) + case v + when true + 'yes' + when false + 'no' + else + v + end + end +-%> +<%- if addressfamily = @sshd_instance_config.delete('AddressFamily') -%> +AddressFamily <%= addressfamily %> +<%- end -%> +<%- if port = @sshd_instance_config.delete('Port') -%> +<%- if port.is_a?(Array) -%> +<%- port.reject{ |x| x.to_s.strip.empty? }.each do |p| -%> +Port <%= p %> +<%- end -%> +<%- elsif not port.to_s.strip.empty? -%> +Port <%= port %> +<%- end -%> +<%- end -%> +<%- if listen = @sshd_instance_config.delete('ListenAddress') -%> +<%- if listen.is_a?(Array) -%> +<%- listen.reject{ |x| x.strip.empty? }.each do |l| -%> +ListenAddress <%= l %> +<%- end -%> +<%- elsif not listen.strip.empty? -%> +ListenAddress <%= listen %> +<%- end -%> +<%- end -%> + +<%- @sshd_instance_config.keys.sort_by{ |sk| (sk.to_s.downcase.include? "match") ? 'zzz' + sk.to_s : sk.to_s }.each do |k| -%> +<%- v = @sshd_instance_config[k] -%> +<%- if v.is_a?(Hash) -%> +<%= k %> +<%- v.keys.sort.each do |key| -%> + <%- value = v[key] -%> + <%- if value.is_a?(Array) -%> + <%- value.each do |a| -%> + <%- if a != '' && a != nil -%> + <%= key %> <%= bool2str(a) %> + <%- end -%> + <%- end -%> + <%- elsif value != '' && value != nil -%> + <%= key %> <%= bool2str(value) %> + <%- end -%> +<%- end -%> +<%- else -%> +<%- if v.is_a?(Array) -%> +<%- v.each do |a| -%> +<%- if a != '' && a != nil -%> +<%= k %> <%= bool2str(a) %> +<%- end -%> +<%- end -%> +<%- elsif v != nil and v != '' -%> +<%= k %> <%= bool2str(v) %> +<%- end -%> +<%- end -%> +<%- end -%> diff --git a/templates/ssh_instance_service.erb b/templates/ssh_instance_service.erb new file mode 100644 index 00000000..a16201a3 --- /dev/null +++ b/templates/ssh_instance_service.erb @@ -0,0 +1,23 @@ +# <%= @sshd_instance_service_name %> +# This file is managed by Puppet. +# DO NOT EDIT + +[Unit] +Description=SSHD Instance <%= @title %> +Documentation=man:sshd(8) man:sshd_config(5) +After=network.target sshd-keygen.service +Wants=sshd-keygen.service + +[Service] +Type=notify +<% if @sshd_environments_file %> +EnvironmentFile=<%= @sshd_environments_file -%> +<% end %> +ExecStart=<%= @sshd_binary %> -f <%= @sshd_instance_config_file %> -D $OPTIONS <%= @sshd_service_options %> +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=on-failure +RestartSec=15s + +[Install] +WantedBy=multi-user.target From 25e64d5ede02b0aa978c450734dee189bf3908c4 Mon Sep 17 00:00:00 2001 From: Simon Hoenscheid Date: Fri, 18 Mar 2022 17:10:08 +0100 Subject: [PATCH 156/246] added acceptance tests for an ssh instance --- .github/workflows/ci.yml | 2 -- manifests/server/instances.pp | 4 +-- metadata.json | 2 +- spec/acceptance/init_spec.rb | 47 +++++++++++++++++++++++++++++- templates/ssh_instance_service.erb | 1 - 5 files changed, 49 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9db67001..d946464c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -54,7 +54,6 @@ jobs: bundler-cache: true - name: Run tests run: bundle exec rake parallel_spec - acceptance: needs: setup_matrix runs-on: ubuntu-latest @@ -77,7 +76,6 @@ jobs: env: BEAKER_PUPPET_COLLECTION: ${{ matrix.puppet.collection }} BEAKER_setfile: ${{ matrix.setfile.value }} - tests: needs: - unit diff --git a/manifests/server/instances.pp b/manifests/server/instances.pp index f68a91ab..cb0b1f2f 100644 --- a/manifests/server/instances.pp +++ b/manifests/server/instances.pp @@ -7,9 +7,9 @@ # # ssh::instances { 'namevar': } define ssh::server::instances ( - String $ensure = present, + Enum[present, absent] $ensure = present, Hash $options = {}, - String $service_ensure = 'running', + Stdlib::Ensure::Service $service_ensure = 'running', Boolean $service_enable = true, Boolean $validate_config_file = false, Stdlib::Absolutepath $sshd_instance_config_file = "${ssh::sshd_dir}/sshd_config.${title}", diff --git a/metadata.json b/metadata.json index 23870161..7f5149b4 100644 --- a/metadata.json +++ b/metadata.json @@ -109,7 +109,7 @@ ] }, { - "operatingsystem": "ArchLinux" + "operatingsystem": "Archlinux" } ], "requirements": [ diff --git a/spec/acceptance/init_spec.rb b/spec/acceptance/init_spec.rb index 5ab3f173..7808cc7f 100644 --- a/spec/acceptance/init_spec.rb +++ b/spec/acceptance/init_spec.rb @@ -3,13 +3,19 @@ require 'spec_helper_acceptance' describe 'ssh' do + package_name = case fact('os.family') + when 'Archlinux' + 'openssh' + else + 'openssh-server' + end context 'with defaults' do it_behaves_like 'an idempotent resource' do let(:manifest) do 'include ssh' end - describe package('openssh-server') do + describe package(package_name) do it { is_expected.to be_installed } end describe port(22) do @@ -21,4 +27,43 @@ end end end + context 'Server with a seperate sftp_server_init instance on Port 8022' do + it_behaves_like 'an idempotent resource' do + let(:manifest) do + <<-PUPPET + class { 'ssh': + server_instances => { + 'sftp_server_init' => { + 'ensure' => 'present', + 'options' => { + 'sshd_config' => { + 'Port' => 8022, + 'Protocol' => 2, + 'AddressFamily' => 'any', + 'HostKey' => '/etc/ssh/ssh_host_rsa_key', + 'SyslogFacility' => 'AUTH', + 'LogLevel' => 'INFO', + 'PermitRootLogin' => 'no', + }, + 'sshd_service_options' => '', + 'match_blocks' => {}, + }, + }, + }, + } + PUPPET + end + + describe package(package_name) do + it { is_expected.to be_installed } + end + describe port(8022) do + it { is_expected.to be_listening } + end + describe service('sftp_server_init') do + it { is_expected.to be_enabled } + it { is_expected.to be_running } + end + end + end end diff --git a/templates/ssh_instance_service.erb b/templates/ssh_instance_service.erb index a16201a3..283a8116 100644 --- a/templates/ssh_instance_service.erb +++ b/templates/ssh_instance_service.erb @@ -9,7 +9,6 @@ After=network.target sshd-keygen.service Wants=sshd-keygen.service [Service] -Type=notify <% if @sshd_environments_file %> EnvironmentFile=<%= @sshd_environments_file -%> <% end %> From c8d834cfc06e7f70d5f8b48e213d58e4ba6ba39d Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Fri, 25 Mar 2022 10:32:17 +0100 Subject: [PATCH 157/246] prepare release: v9.0.0 --- CHANGELOG.md | 6 ++++++ metadata.json | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ef2adb1..9fe925f2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [9.0.0] +### Added +- Support for multiple instances (#318, #319, #321) - Thanks! +### Changed +- "hostkeys.pp" isn't marked private anymore (#317) + ## [8.0.0] ### Changed - update path to sftp server on Gentoo (#315, breaking change) diff --git a/metadata.json b/metadata.json index 7f5149b4..ba80f959 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "8.0.0", + "version": "9.0.0", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "license": "Apache-2.0", From 45b81357a036c087fbafdbe92a2ee8516c0aec26 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Fri, 25 Mar 2022 10:55:52 +0100 Subject: [PATCH 158/246] remove trailing whitespace from CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9fe925f2..9f960627 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [9.0.0] ### Added -- Support for multiple instances (#318, #319, #321) - Thanks! +- Support for multiple instances (#318, #319, #321) - Thanks! ### Changed - "hostkeys.pp" isn't marked private anymore (#317) From f518b38e7898951d1e7976c691c1316b9323c839 Mon Sep 17 00:00:00 2001 From: Simon Hoenscheid Date: Wed, 23 Mar 2022 17:58:27 +0100 Subject: [PATCH 159/246] Move all defaults to data directoy, remove params.pp, client and server are now private classes. --- data/Amazon.yaml | 12 ++ data/Archlinux.yaml | 11 + data/Darwin.yaml | 8 + data/Debian.yaml | 12 ++ data/DragonFly.yaml | 9 + data/FreeBSD.yaml | 9 + data/Gentoo.yaml | 11 + data/OpenBSD.yaml | 20 ++ data/OpenSuse.yaml | 3 + data/RedHat-7.yaml | 2 + data/RedHat.yaml | 12 ++ data/SLES-10-x86_64.yaml | 2 + data/SLES-11-x86_64.yaml | 2 + data/SLES.yaml | 3 + data/SmartOS.yaml | 8 + data/Solaris-10.yaml | 3 + data/Solaris.yaml | 16 ++ data/Suse.yaml | 10 + data/common.yaml | 26 +++ hiera.yaml | 25 +++ manifests/client.pp | 8 +- manifests/client/config.pp | 2 +- manifests/client/config/user.pp | 6 +- manifests/client/install.pp | 4 +- manifests/init.pp | 22 +- manifests/knownhosts.pp | 4 +- manifests/params.pp | 254 ------------------------ manifests/server.pp | 8 +- manifests/server/config.pp | 14 +- manifests/server/config/setting.pp | 4 +- manifests/server/host_key.pp | 16 +- manifests/server/install.pp | 6 +- manifests/server/match_block.pp | 3 - manifests/server/options.pp | 2 +- manifests/server/service.pp | 4 +- spec/classes/client_spec.rb | 28 --- spec/classes/server_spec.rb | 141 ------------- spec/defines/server/match_block_spec.rb | 71 +++---- 38 files changed, 293 insertions(+), 508 deletions(-) create mode 100644 data/Amazon.yaml create mode 100644 data/Archlinux.yaml create mode 100644 data/Darwin.yaml create mode 100644 data/Debian.yaml create mode 100644 data/DragonFly.yaml create mode 100644 data/FreeBSD.yaml create mode 100644 data/Gentoo.yaml create mode 100644 data/OpenBSD.yaml create mode 100644 data/OpenSuse.yaml create mode 100644 data/RedHat-7.yaml create mode 100644 data/RedHat.yaml create mode 100644 data/SLES-10-x86_64.yaml create mode 100644 data/SLES-11-x86_64.yaml create mode 100644 data/SLES.yaml create mode 100644 data/SmartOS.yaml create mode 100644 data/Solaris-10.yaml create mode 100644 data/Solaris.yaml create mode 100644 data/Suse.yaml create mode 100644 data/common.yaml create mode 100644 hiera.yaml delete mode 100644 manifests/params.pp delete mode 100644 spec/classes/client_spec.rb delete mode 100644 spec/classes/server_spec.rb diff --git a/data/Amazon.yaml b/data/Amazon.yaml new file mode 100644 index 00000000..3869c98c --- /dev/null +++ b/data/Amazon.yaml @@ -0,0 +1,12 @@ +--- +ssh::server_package_name: 'openssh-server' +ssh::client_package_name: 'openssh-clients' +ssh::sshd_dir: '/etc/ssh' +ssh::sshd_binary: '/usr/sbin/sshd' +ssh::sshd_environments_file: '/etc/sysconfig/sshd' +ssh::sshd_config: '/etc/ssh/sshd_config' +ssh::ssh_config: '/etc/ssh/ssh_config' +ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' +ssh::service_name: 'sshd' +ssh::sftp_server_path: '/usr/libexec/openssh/sftp-server' +ssh::host_priv_key_group: 0 diff --git a/data/Archlinux.yaml b/data/Archlinux.yaml new file mode 100644 index 00000000..73b6ee1a --- /dev/null +++ b/data/Archlinux.yaml @@ -0,0 +1,11 @@ +--- +ssh::server_package_name: 'openssh' +ssh::client_package_name: 'openssh' +ssh::sshd_dir: '/etc/ssh' +ssh::sshd_binary: '/usr/bin/sshd' +ssh::sshd_config: '/etc/ssh/sshd_config' +ssh::ssh_config: '/etc/ssh/ssh_config' +ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' +ssh::service_name: 'sshd.service' +ssh::sftp_server_path: '/usr/lib/ssh/sftp-server' +ssh::host_priv_key_group: 0 diff --git a/data/Darwin.yaml b/data/Darwin.yaml new file mode 100644 index 00000000..f3cff65c --- /dev/null +++ b/data/Darwin.yaml @@ -0,0 +1,8 @@ +--- +ssh::sshd_dir: '/etc/ssh' +ssh::sshd_config: '/etc/ssh/sshd_config' +ssh::ssh_config: '/etc/ssh/ssh_config' +ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' +ssh::service_name: 'com.openssh.sshd' +ssh::sftp_server_path: '/usr/libexec/sftp-server' +ssh::host_priv_key_group: 0 diff --git a/data/Debian.yaml b/data/Debian.yaml new file mode 100644 index 00000000..e07e99ce --- /dev/null +++ b/data/Debian.yaml @@ -0,0 +1,12 @@ +--- +ssh::server_package_name: 'openssh-server' +ssh::client_package_name: 'openssh-client' +ssh::sshd_dir: '/etc/ssh' +ssh::sshd_binary: '/usr/sbin/sshd' +ssh::sshd_config: '/etc/ssh/sshd_config' +ssh::sshd_environments_file: '/etc/default/ssh' +ssh::ssh_config: '/etc/ssh/ssh_config' +ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' +ssh::service_name: 'ssh' +ssh::sftp_server_path: '/usr/lib/openssh/sftp-server' +ssh::host_priv_key_group: 0 diff --git a/data/DragonFly.yaml b/data/DragonFly.yaml new file mode 100644 index 00000000..1c1ae476 --- /dev/null +++ b/data/DragonFly.yaml @@ -0,0 +1,9 @@ +--- +ssh::sshd_dir: '/etc/ssh' +ssh::sshd_binary: '/usr/local/sbin/sshd' +ssh::sshd_config: '/etc/ssh/sshd_config' +ssh::ssh_config: '/etc/ssh/ssh_config' +ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' +ssh::service_name: 'sshd' +ssh::sftp_server_path: '/usr/libexec/sftp-server' +ssh::host_priv_key_group: 0 diff --git a/data/FreeBSD.yaml b/data/FreeBSD.yaml new file mode 100644 index 00000000..1c1ae476 --- /dev/null +++ b/data/FreeBSD.yaml @@ -0,0 +1,9 @@ +--- +ssh::sshd_dir: '/etc/ssh' +ssh::sshd_binary: '/usr/local/sbin/sshd' +ssh::sshd_config: '/etc/ssh/sshd_config' +ssh::ssh_config: '/etc/ssh/ssh_config' +ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' +ssh::service_name: 'sshd' +ssh::sftp_server_path: '/usr/libexec/sftp-server' +ssh::host_priv_key_group: 0 diff --git a/data/Gentoo.yaml b/data/Gentoo.yaml new file mode 100644 index 00000000..e0ae775b --- /dev/null +++ b/data/Gentoo.yaml @@ -0,0 +1,11 @@ +--- +ssh::server_package_name: 'openssh' +ssh::client_package_name: 'openssh' +ssh::sshd_dir: '/etc/ssh' +ssh::sshd_binary: '/usr/sbin/sshd' +ssh::sshd_config: '/etc/ssh/sshd_config' +ssh::ssh_config: '/etc/ssh/ssh_config' +ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' +ssh::service_name: 'sshd' +ssh::sftp_server_path: '/usr/lib64/misc/sftp-server' +ssh::host_priv_key_group: 0 diff --git a/data/OpenBSD.yaml b/data/OpenBSD.yaml new file mode 100644 index 00000000..74d6f03e --- /dev/null +++ b/data/OpenBSD.yaml @@ -0,0 +1,20 @@ +--- +ssh::sshd_dir: '/etc/ssh' +ssh::sshd_config: '/etc/ssh/sshd_config' +ssh::ssh_config: '/etc/ssh/ssh_config' +ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' +ssh::service_name: 'sshd' +ssh::sftp_server_path: '/usr/libexec/sftp-server' +ssh::host_priv_key_group: 0 + +ssh::sshd_default_options: + ChallengeResponseAuthentication: 'no' + X11Forwarding : 'yes' + PrintMotd : 'no' + AcceptEnv : 'LANG LC_*' + Subsystem : "sftp %{lookup('ssh::sftp_server_path')}" + +ssh::ssh_default_options: + 'Host *': + SendEnv: 'LANG LC_*' + HashKnownHosts: 'yes' diff --git a/data/OpenSuse.yaml b/data/OpenSuse.yaml new file mode 100644 index 00000000..054cfc3f --- /dev/null +++ b/data/OpenSuse.yaml @@ -0,0 +1,3 @@ +--- +ssh::service_name: 'sshd' +ssh::sftp_server_path: '/usr/lib/ssh/sftp-server' diff --git a/data/RedHat-7.yaml b/data/RedHat-7.yaml new file mode 100644 index 00000000..845f62a3 --- /dev/null +++ b/data/RedHat-7.yaml @@ -0,0 +1,2 @@ +--- +ssh::host_priv_key_group: 'ssh_keys' diff --git a/data/RedHat.yaml b/data/RedHat.yaml new file mode 100644 index 00000000..e93a7e92 --- /dev/null +++ b/data/RedHat.yaml @@ -0,0 +1,12 @@ +--- +ssh::server_package_name: 'openssh-server' +ssh::client_package_name: 'openssh-clients' +ssh::sshd_dir: '/etc/ssh' +ssh::sshd_binary: '/usr/sbin/sshd' +ssh::sshd_config: '/etc/ssh/sshd_config' +ssh::sshd_environments_file: '/etc/sysconfig/sshd' +ssh::ssh_config: '/etc/ssh/ssh_config' +ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' +ssh::service_name: 'sshd' +ssh::sftp_server_path: '/usr/libexec/openssh/sftp-server' +ssh::host_priv_key_group: 0 diff --git a/data/SLES-10-x86_64.yaml b/data/SLES-10-x86_64.yaml new file mode 100644 index 00000000..cc0f1a61 --- /dev/null +++ b/data/SLES-10-x86_64.yaml @@ -0,0 +1,2 @@ +--- +ssh::sftp_server_path: '/usr/lib64/ssh/sftp-server' diff --git a/data/SLES-11-x86_64.yaml b/data/SLES-11-x86_64.yaml new file mode 100644 index 00000000..cc0f1a61 --- /dev/null +++ b/data/SLES-11-x86_64.yaml @@ -0,0 +1,2 @@ +--- +ssh::sftp_server_path: '/usr/lib64/ssh/sftp-server' diff --git a/data/SLES.yaml b/data/SLES.yaml new file mode 100644 index 00000000..054cfc3f --- /dev/null +++ b/data/SLES.yaml @@ -0,0 +1,3 @@ +--- +ssh::service_name: 'sshd' +ssh::sftp_server_path: '/usr/lib/ssh/sftp-server' diff --git a/data/SmartOS.yaml b/data/SmartOS.yaml new file mode 100644 index 00000000..91ddccdd --- /dev/null +++ b/data/SmartOS.yaml @@ -0,0 +1,8 @@ +--- +ssh::sshd_dir: '/etc/ssh' +ssh::sshd_config: '/etc/ssh/sshd_config' +ssh::ssh_config: '/etc/ssh/ssh_config' +ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' +ssh::service_name: 'svc:/network/ssh:default' +ssh::sftp_server_path: 'internal-sftp' +ssh::host_priv_key_group: 0 diff --git a/data/Solaris-10.yaml b/data/Solaris-10.yaml new file mode 100644 index 00000000..35a59395 --- /dev/null +++ b/data/Solaris-10.yaml @@ -0,0 +1,3 @@ +--- +ssh::server_package_name: 'SUNWsshdu' +ssh::client_package_name: 'SUNWsshu' diff --git a/data/Solaris.yaml b/data/Solaris.yaml new file mode 100644 index 00000000..dadf33f4 --- /dev/null +++ b/data/Solaris.yaml @@ -0,0 +1,16 @@ +--- +ssh::server_package_name: '/service/network/ssh' +ssh::client_package_name: '/network/ssh' +ssh::sshd_binary: '/lib/svc/method/sshd' +ssh::ssh::service_name: 'svc:/network/ssh:default' + +ssh:sshd_default_options: + ChallengeResponseAuthentication: 'no' + X11Forwarding: 'yes' + PrintMotd: 'no' + Subsystem: "sftp %{lookup('ssh::sftp_server_path')}" + HostKey: + - "%{lookup('ssh::sshd_dir')}/ssh_host_rsa_key" + - "%{lookup('ssh::sshd_dir')}/ssh_host_dsa_key" + +ssh::ssh_default_options: {} diff --git a/data/Suse.yaml b/data/Suse.yaml new file mode 100644 index 00000000..bdd1fd13 --- /dev/null +++ b/data/Suse.yaml @@ -0,0 +1,10 @@ +--- +ssh::server_package_name: 'openssh' +ssh::client_package_name: 'openssh' +ssh::sshd_dir: '/etc/ssh' +ssh::sshd_binary: '/usr/sbin/sshd' +ssh::sshd_config: '/etc/ssh/sshd_config' +ssh::sshd_environments_file: '/etc/sysconfig/ssh' +ssh::ssh_config: '/etc/ssh/ssh_config' +ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' +ssh::host_priv_key_group: 0 diff --git a/data/common.yaml b/data/common.yaml new file mode 100644 index 00000000..ee5159df --- /dev/null +++ b/data/common.yaml @@ -0,0 +1,26 @@ +--- +ssh::sshd_dir: '/etc/ssh' +ssh::sshd_config: '/etc/ssh/sshd_config' +ssh::ssh_config: '/etc/ssh/ssh_config' +ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' +ssh::service_name: 'svc:/network/ssh:default' +ssh::sftp_server_path: 'internal-sftp' +ssh::host_priv_key_group: 0 +ssh::validate_sshd_file : false +ssh::user_ssh_directory_default_mode: '0700' +ssh::user_ssh_config_default_mode : '0600' +ssh::collect_enabled : true # Collect sshkey resources +ssh::issue_net : '/etc/issue.net' + +ssh::sshd_default_options: + ChallengeResponseAuthentication: 'no' + X11Forwarding: 'yes' + PrintMotd: 'no' + AcceptEnv: 'LANG LC_*' + Subsystem: "sftp %{lookup('ssh::sftp_server_path')}" + UsePAM: 'yes' + +ssh::ssh_default_options: + 'Host *': + SendEnv: 'LANG LC_*' + HashKnownHosts: 'yes' diff --git a/hiera.yaml b/hiera.yaml new file mode 100644 index 00000000..bc6d659d --- /dev/null +++ b/hiera.yaml @@ -0,0 +1,25 @@ +--- +version: 5 + +defaults: + datadir: 'data' + data_hash: 'yaml_data' + +hierarchy: + - name: 'Operating System Family' + path: '%{facts.os.family}.yaml' + + - name: 'Full Version' + path: '%{facts.os.name}-%{facts.os.release.full}.yaml' + + - name: 'Distribution Name' + path: '%{facts.os.name}.yaml' + + - name: 'Major Version' + path: '%{facts.os.name}-%{facts.os.release.major}.yaml' + + - name: 'Major Version with architecture' + path: '%{facts.os.name}-%{facts.os.release.major}-%{facts.os.architecture}.yaml' + + - name: 'common' + path: 'common.yaml' diff --git a/manifests/client.pp b/manifests/client.pp index edf6c1fe..759a9f49 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,3 +1,4 @@ +# @api private # @summary # This class add ssh client management # @@ -26,16 +27,17 @@ Hash $options = {}, Boolean $use_augeas = false, Array $options_absent = [], -) inherits ssh::params { +) { + assert_private() # Merge hashes from multiple layer of hierarchy in hiera $hiera_options = lookup("${module_name}::client::options", Optional[Hash], 'deep', {}) $fin_options = deep_merge($hiera_options, $options) if $use_augeas { - $merged_options = sshclient_options_to_augeas_ssh_config($fin_options, $options_absent, { 'target' => $ssh::params::ssh_config }) + $merged_options = sshclient_options_to_augeas_ssh_config($fin_options, $options_absent, { 'target' => $ssh::ssh_config }) } else { - $merged_options = merge($fin_options, delete($ssh::params::ssh_default_options, keys($fin_options))) + $merged_options = merge($fin_options, delete($ssh::ssh_default_options, keys($fin_options))) } include ssh::client::install diff --git a/manifests/client/config.pp b/manifests/client/config.pp index e8a99a59..83be373d 100644 --- a/manifests/client/config.pp +++ b/manifests/client/config.pp @@ -5,7 +5,7 @@ if $use_augeas { create_resources('ssh_config', $options) } else { - file { $ssh::params::ssh_config: + file { $ssh::ssh_config: ensure => file, owner => '0', group => '0', diff --git a/manifests/client/config/user.pp b/manifests/client/config/user.pp index d2f81506..c53ed8d7 100644 --- a/manifests/client/config/user.pp +++ b/manifests/client/config/user.pp @@ -11,7 +11,7 @@ Hash $options = {}, String[1] $user = $name, ) { - include ssh::params + include ssh # If a specific target file was specified, # it must have higher priority than any @@ -33,7 +33,7 @@ file { $user_ssh_dir: ensure => directory, owner => $user, - mode => $ssh::params::user_ssh_directory_default_mode, + mode => $ssh::user_ssh_directory_default_mode, before => Concat_file[$_target], } } @@ -44,7 +44,7 @@ concat_file { $_target: ensure => $ensure, owner => $user, - mode => $ssh::params::user_ssh_config_default_mode, + mode => $ssh::user_ssh_config_default_mode, tag => $name, } } diff --git a/manifests/client/install.pp b/manifests/client/install.pp index d3489ec2..d9f83dff 100644 --- a/manifests/client/install.pp +++ b/manifests/client/install.pp @@ -1,7 +1,7 @@ class ssh::client::install { - if $ssh::params::client_package_name { + if $ssh::client_package_name { ensure_packages([ - $ssh::params::client_package_name, + $ssh::client_package_name, ], { 'ensure' => $ssh::client::ensure, }) diff --git a/manifests/init.pp b/manifests/init.pp index 19accd58..3edf69ce 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -148,6 +148,21 @@ # Use issue_net header # class ssh ( + Stdlib::Absolutepath $sshd_dir, + Stdlib::Absolutepath $sshd_binary, + Boolean $validate_sshd_file, + Hash $sshd_default_options, + Hash $ssh_default_options, + Stdlib::Absolutepath $sshd_config, + Stdlib::Absolutepath $ssh_config, + Stdlib::Filemode $user_ssh_directory_default_mode, + Stdlib::Filemode $user_ssh_config_default_mode, + Integer $host_priv_key_group, + String $service_name, + Boolean $collect_enabled, + Optional[Stdlib::Absolutepath] $sshd_environments_file = undef, + Optional[String] $server_package_name = undef, + Optional[String] $client_package_name = undef, Hash[String[1],Hash[String[1],NotUndef]] $server_instances = {}, Hash $server_options = {}, Hash $server_match_block = {}, @@ -155,16 +170,13 @@ Hash $users_client_options = {}, String $version = 'present', Boolean $storeconfigs_enabled = true, - Boolean $validate_sshd_file = $ssh::params::validate_sshd_file, Boolean $use_augeas = false, Array $server_options_absent = [], Array $client_options_absent = [], Boolean $use_issue_net = false, Boolean $purge_unmanaged_sshkeys = true, - Stdlib::Absolutepath $sshd_dir = $ssh::params::sshd_dir, - Stdlib::Absolutepath $sshd_binary = $ssh::params::sshd_binary, - Optional[Stdlib::Absolutepath] $sshd_environments_file = $ssh::params::sshd_environments_file, -) inherits ssh::params { + +) { # Merge hashes from multiple layer of hierarchy in hiera $hiera_server_options = lookup("${module_name}::server_options", Optional[Hash], 'deep', {}) $hiera_server_match_block = lookup("${module_name}::server_match_block", Optional[Hash], 'deep', {}) diff --git a/manifests/knownhosts.pp b/manifests/knownhosts.pp index bd6b9d22..eed301df 100644 --- a/manifests/knownhosts.pp +++ b/manifests/knownhosts.pp @@ -8,9 +8,9 @@ # Define the hostkeys group storage # class ssh::knownhosts ( - Boolean $collect_enabled = $ssh::params::collect_enabled, + Boolean $collect_enabled = $ssh::collect_enabled, Optional[String] $storeconfigs_group = undef, -) inherits ssh::params { +) { if ($collect_enabled) { if $storeconfigs_group { Sshkey <<| tag == "hostkey_${storeconfigs_group}" |>> diff --git a/manifests/params.pp b/manifests/params.pp deleted file mode 100644 index 325de7ec..00000000 --- a/manifests/params.pp +++ /dev/null @@ -1,254 +0,0 @@ -# @summary -# Params class -# -# @api private -# -class ssh::params { - case $facts['os']['family'] { - 'Debian': { - $server_package_name = 'openssh-server' - $client_package_name = 'openssh-client' - $sshd_dir = '/etc/ssh' - $sshd_binary = '/usr/sbin/sshd' - $sshd_config = '/etc/ssh/sshd_config' - $sshd_environments_file = '/etc/default/ssh' - $ssh_config = '/etc/ssh/ssh_config' - $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' - $service_name = 'ssh' - $sftp_server_path = '/usr/lib/openssh/sftp-server' - $host_priv_key_group = 0 - } - 'RedHat': { - $server_package_name = 'openssh-server' - $client_package_name = 'openssh-clients' - $sshd_dir = '/etc/ssh' - $sshd_binary = '/usr/sbin/sshd' - $sshd_config = '/etc/ssh/sshd_config' - $sshd_environments_file = '/etc/sysconfig/sshd' - $ssh_config = '/etc/ssh/ssh_config' - $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' - $service_name = 'sshd' - $sftp_server_path = '/usr/libexec/openssh/sftp-server' - if versioncmp($facts['os']['release']['major'], '7') >= 0 { - $host_priv_key_group = 'ssh_keys' - } else { - $host_priv_key_group = 0 - } - } - 'FreeBSD', 'DragonFly': { - $server_package_name = undef - $client_package_name = undef - $sshd_dir = '/etc/ssh' - $sshd_binary = '/usr/local/sbin/sshd' - $sshd_config = '/etc/ssh/sshd_config' - $ssh_config = '/etc/ssh/ssh_config' - $sshd_environments_file = undef - $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' - $service_name = 'sshd' - $sftp_server_path = '/usr/libexec/sftp-server' - $host_priv_key_group = 0 - } - 'OpenBSD': { - $server_package_name = undef - $client_package_name = undef - $sshd_dir = '/etc/ssh' - $sshd_config = '/etc/ssh/sshd_config' - $ssh_config = '/etc/ssh/ssh_config' - $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' - $service_name = 'sshd' - $sftp_server_path = '/usr/libexec/sftp-server' - $host_priv_key_group = 0 - } - 'Darwin': { - $server_package_name = undef - $client_package_name = undef - $sshd_dir = '/etc/ssh' - $sshd_config = '/etc/ssh/sshd_config' - $ssh_config = '/etc/ssh/ssh_config' - $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' - $service_name = 'com.openssh.sshd' - $sftp_server_path = '/usr/libexec/sftp-server' - $host_priv_key_group = 0 - } - 'ArchLinux': { - $server_package_name = 'openssh' - $client_package_name = 'openssh' - $sshd_dir = '/etc/ssh' - $sshd_binary = '/usr/bin/sshd' - $sshd_config = '/etc/ssh/sshd_config' - $sshd_environments_file = undef - $ssh_config = '/etc/ssh/ssh_config' - $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' - $service_name = 'sshd.service' - $sftp_server_path = '/usr/lib/ssh/sftp-server' - $host_priv_key_group = 0 - } - 'Suse': { - $server_package_name = 'openssh' - $client_package_name = 'openssh' - $sshd_dir = '/etc/ssh' - $sshd_binary = '/usr/sbin/sshd' - $sshd_config = '/etc/ssh/sshd_config' - $sshd_environments_file = '/etc/sysconfig/ssh' - $ssh_config = '/etc/ssh/ssh_config' - $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' - $host_priv_key_group = 0 - case $facts['os']['name'] { - 'SLES': { - $service_name = 'sshd' - case $facts['os']['release']['full'] { - /^10\./, /^11\./: { - if ($facts['os']['architecture'] == 'x86_64') { - $sftp_server_path = '/usr/lib64/ssh/sftp-server' - } else { - $sftp_server_path = '/usr/lib/ssh/sftp-server' - } - } - default: { - $sftp_server_path = '/usr/lib/ssh/sftp-server' - } - } - } - 'OpenSuse': { - $service_name = 'sshd' - $sftp_server_path = '/usr/lib/ssh/sftp-server' - } - default: { - fail("Unsupported platform: ${facts['os']['family']}/${facts['os']['name']}") - } - } - } - 'Solaris': { - $sshd_binary = '/usr/sbin/sshd' - $sshd_environments_file = undef - case $facts['os']['name'] { - 'SmartOS': { - $server_package_name = undef - $client_package_name = undef - $sshd_dir = '/etc/ssh' - $sshd_config = '/etc/ssh/sshd_config' - $ssh_config = '/etc/ssh/ssh_config' - $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' - $service_name = 'svc:/network/ssh:default' - $sftp_server_path = 'internal-sftp' - $host_priv_key_group = 0 - } - default: { - $sshd_dir = '/etc/ssh' - $sshd_config = '/etc/ssh/sshd_config' - $ssh_config = '/etc/ssh/ssh_config' - $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' - $service_name = 'svc:/network/ssh:default' - $sftp_server_path = 'internal-sftp' - $host_priv_key_group = 0 - case versioncmp($facts['kernelrelease'], '5.10') { - 1: { - # Solaris 11 and later - $server_package_name = '/service/network/ssh' - $client_package_name = '/network/ssh' - } - 0: { - # Solaris 10 - $server_package_name = 'SUNWsshdu' - $client_package_name = 'SUNWsshu' - } - default: { - # Solaris 9 and earlier not supported - fail("Unsupported platform: ${facts['os']['family']}/${facts['kernelrelease']}") - } - } - } - } - } - default: { - case $facts['os']['name'] { - 'Gentoo': { - $server_package_name = 'openssh' - $client_package_name = 'openssh' - $sshd_dir = '/etc/ssh' - $sshd_binary = '/usr/sbin/sshd' - $sshd_environments_file = undef - $sshd_config = '/etc/ssh/sshd_config' - $ssh_config = '/etc/ssh/ssh_config' - $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' - $service_name = 'sshd' - $sftp_server_path = '/usr/lib64/misc/sftp-server' - $host_priv_key_group = 0 - } - 'Amazon': { - $server_package_name = 'openssh-server' - $client_package_name = 'openssh-clients' - $sshd_dir = '/etc/ssh' - $sshd_binary = '/usr/sbin/sshd' - $sshd_environments_file = '/etc/sysconfig/sshd' - $sshd_config = '/etc/ssh/sshd_config' - $ssh_config = '/etc/ssh/ssh_config' - $ssh_known_hosts = '/etc/ssh/ssh_known_hosts' - $service_name = 'sshd' - $sftp_server_path = '/usr/libexec/openssh/sftp-server' - $host_priv_key_group = 0 - } - default: { - fail("Unsupported platform: ${facts['os']['family']}/${facts['os']['name']}") - } - } - } - } - - # ssh & sshd default options: - # - OpenBSD doesn't know about UsePAM - # - Sun_SSH doesn't know about UsePAM & AcceptEnv; SendEnv & HashKnownHosts - case $facts['os']['family'] { - 'OpenBSD': { - $sshd_default_options = { - 'ChallengeResponseAuthentication' => 'no', - 'X11Forwarding' => 'yes', - 'PrintMotd' => 'no', - 'AcceptEnv' => 'LANG LC_*', - 'Subsystem' => "sftp ${sftp_server_path}", - } - $ssh_default_options = { - 'Host *' => { - 'SendEnv' => 'LANG LC_*', - 'HashKnownHosts' => 'yes', - }, - } - } - 'Solaris': { - $sshd_default_options = { - 'ChallengeResponseAuthentication' => 'no', - 'X11Forwarding' => 'yes', - 'PrintMotd' => 'no', - 'Subsystem' => "sftp ${sftp_server_path}", - 'HostKey' => [ - "${sshd_dir}/ssh_host_rsa_key", - "${sshd_dir}/ssh_host_dsa_key", - ], - } - $ssh_default_options = { - } - } - default: { - $sshd_default_options = { - 'ChallengeResponseAuthentication' => 'no', - 'X11Forwarding' => 'yes', - 'PrintMotd' => 'no', - 'AcceptEnv' => 'LANG LC_*', - 'Subsystem' => "sftp ${sftp_server_path}", - 'UsePAM' => 'yes', - } - $ssh_default_options = { - 'Host *' => { - 'SendEnv' => 'LANG LC_*', - 'HashKnownHosts' => 'yes', - }, - } - } - } - - $validate_sshd_file = false - $user_ssh_directory_default_mode = '0700' - $user_ssh_config_default_mode = '0600' - $collect_enabled = true # Collect sshkey resources - $issue_net = '/etc/issue.net' -} diff --git a/manifests/server.pp b/manifests/server.pp index e30a6311..a306bd64 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,3 +1,4 @@ +# @api private # @summary # This class managed ssh server # @@ -41,7 +42,8 @@ Array $options_absent = [], Hash $match_block = {}, Boolean $use_issue_net = false -) inherits ssh::params { +) { + assert_private() # Merge hashes from multiple layer of hierarchy in hiera $hiera_options = lookup("${module_name}::server::options", Optional[Hash], 'deep', {}) $hiera_match_block = lookup("${module_name}::server::match_block", Optional[Hash], 'deep', {}) @@ -50,9 +52,9 @@ $fin_match_block = deep_merge($hiera_match_block, $match_block) if $use_augeas { - $merged_options = sshserver_options_to_augeas_sshd_config($fin_options, $options_absent, { 'target' => $ssh::params::sshd_config }) + $merged_options = sshserver_options_to_augeas_sshd_config($fin_options, $options_absent, { 'target' => $ssh::sshd_config }) } else { - $merged_options = deep_merge($ssh::params::sshd_default_options, $fin_options) + $merged_options = deep_merge($ssh::sshd_default_options, $fin_options) } include ssh::server::install diff --git a/manifests/server/config.pp b/manifests/server/config.pp index ce1fa122..600de0af 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -18,35 +18,35 @@ if $ssh::server::use_augeas { create_resources('sshd_config', $options) } else { - concat { $ssh::params::sshd_config: + concat { $ssh::sshd_config: ensure => present, owner => 0, group => 0, mode => '0600', validate_cmd => $sshd_validate_cmd, - notify => Service[$ssh::params::service_name], + notify => Service[$ssh::service_name], } concat::fragment { 'global config': - target => $ssh::params::sshd_config, + target => $ssh::sshd_config, content => template("${module_name}/sshd_config.erb"), order => '00', } } if $ssh::server::use_issue_net { - file { $ssh::params::issue_net: + file { $ssh::issue_net: ensure => file, owner => 0, group => 0, mode => '0644', content => template("${module_name}/issue.net.erb"), - notify => Service[$ssh::params::service_name], + notify => Service[$ssh::service_name], } concat::fragment { 'banner file': - target => $ssh::params::sshd_config, - content => "Banner ${ssh::params::issue_net}\n", + target => $ssh::sshd_config, + content => "Banner ${ssh::issue_net}\n", order => '01', } } diff --git a/manifests/server/config/setting.pp b/manifests/server/config/setting.pp index 20dafc68..4a3d8455 100644 --- a/manifests/server/config/setting.pp +++ b/manifests/server/config/setting.pp @@ -8,7 +8,7 @@ $value, $order = '10' ) { - include ssh::params + include ssh if is_bool($value) { $real_value = $value ? { @@ -25,7 +25,7 @@ } concat::fragment { "ssh_setting_${name}_${key}": - target => $ssh::params::sshd_config, + target => $ssh::sshd_config, content => "\n# added by Ssh::Server::Config::Setting[${name}]\n${key} ${real_value}\n", order => $order, } diff --git a/manifests/server/host_key.pp b/manifests/server/host_key.pp index 209f057c..40b886c4 100644 --- a/manifests/server/host_key.pp +++ b/manifests/server/host_key.pp @@ -88,7 +88,7 @@ owner => 0, group => 0, mode => '0644', - path => "${ssh::params::sshd_dir}/${name}.pub", + path => "${ssh::sshd_dir}/${name}.pub", source => $manage_pub_key_source, content => $manage_pub_key_content, notify => Class['ssh::server::service'], @@ -97,9 +97,9 @@ file { "${name}_priv": ensure => $ensure, owner => 0, - group => $ssh::params::host_priv_key_group, + group => $ssh::host_priv_key_group, mode => '0600', - path => "${ssh::params::sshd_dir}/${name}", + path => "${ssh::sshd_dir}/${name}", source => $manage_priv_key_source, content => $manage_priv_key_content, show_diff => false, @@ -111,16 +111,16 @@ owner => 0, group => 0, mode => '0644', - path => "${ssh::params::sshd_dir}/${name}.pub", + path => "${ssh::sshd_dir}/${name}.pub", notify => Class['ssh::server::service'], } file { "${name}_priv": ensure => $ensure, owner => 0, - group => $ssh::params::host_priv_key_group, + group => $ssh::host_priv_key_group, mode => '0600', - path => "${ssh::params::sshd_dir}/${name}", + path => "${ssh::sshd_dir}/${name}", show_diff => false, notify => Class['ssh::server::service'], } @@ -133,7 +133,7 @@ owner => 0, group => 0, mode => '0644', - path => "${ssh::params::sshd_dir}/${name}-cert.pub", + path => "${ssh::sshd_dir}/${name}-cert.pub", source => $manage_cert_source, content => $manage_cert_content, notify => Class['ssh::server::service'], @@ -144,7 +144,7 @@ owner => 0, group => 0, mode => '0644', - path => "${ssh::params::sshd_dir}/${name}-cert.pub", + path => "${ssh::sshd_dir}/${name}-cert.pub", notify => Class['ssh::server::service'], } } diff --git a/manifests/server/install.pp b/manifests/server/install.pp index d6a4a466..eed5802e 100644 --- a/manifests/server/install.pp +++ b/manifests/server/install.pp @@ -4,10 +4,10 @@ # @api private # class ssh::server::install { - include ssh::params - if $ssh::params::server_package_name { + include ssh + if $ssh::server_package_name { ensure_packages ([ - $ssh::params::server_package_name, + $ssh::server_package_name, ], { 'ensure' => $ssh::server::ensure, }) diff --git a/manifests/server/match_block.pp b/manifests/server/match_block.pp index 2ee1ad55..0f636785 100644 --- a/manifests/server/match_block.pp +++ b/manifests/server/match_block.pp @@ -1,15 +1,12 @@ # @summary # Add match_block to ssh server config (concat needed) # -# @api private -# define ssh::server::match_block ( Hash $options = {}, String $type = 'user', Integer $order = 50, Stdlib::Absolutepath $target = $ssh::sshd_config, ) { - include ssh if $ssh::server::use_augeas { fail('ssh::server::match_block() define not supported with use_augeas = true') } else { diff --git a/manifests/server/options.pp b/manifests/server/options.pp index de451eb5..d4e0e548 100644 --- a/manifests/server/options.pp +++ b/manifests/server/options.pp @@ -8,7 +8,7 @@ Integer $order = 50 ) { concat::fragment { "options ${name}": - target => $ssh::params::sshd_config, + target => $ssh::sshd_config, content => template("${module_name}/options.erb"), order => 100+$order, } diff --git a/manifests/server/service.pp b/manifests/server/service.pp index 1aa0757b..a668cc6f 100644 --- a/manifests/server/service.pp +++ b/manifests/server/service.pp @@ -11,10 +11,10 @@ String $ensure = 'running', Boolean $enable = true ) { - include ssh::params + include ssh include ssh::server - service { $ssh::params::service_name: + service { $ssh::service_name: ensure => $ssh::server::service::ensure, hasstatus => true, hasrestart => true, diff --git a/spec/classes/client_spec.rb b/spec/classes/client_spec.rb deleted file mode 100644 index c9e63622..00000000 --- a/spec/classes/client_spec.rb +++ /dev/null @@ -1,28 +0,0 @@ -require 'spec_helper' - -describe 'ssh::client', type: 'class' do - on_supported_os.each do |os, os_facts| - let(:facts) { os_facts } - - context "on #{os}" do - context 'with all defaults' do - it { is_expected.to compile.with_all_deps } - end - context 'when on Debian with no other parameters', if: %w[Debian].include?(os_facts[:os]['Family']) do - it { is_expected.to contain_package('openssh-client').with_ensure('installed') } - end - context 'when on Debian with no other parameters', if: %w[RedHat].include?(os_facts[:os]['Family']) do - it { is_expected.to contain_package('openssh-clients').with_ensure('installed') } - end - context 'when on Debian with custom ensure', if: %w[Debian].include?(os_facts[:os]['Family']) do - let :params do - { - ensure: 'latest' - } - end - - it { is_expected.to contain_package('openssh-client').with_ensure('latest') } - end - end - end -end diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb deleted file mode 100644 index 143142c5..00000000 --- a/spec/classes/server_spec.rb +++ /dev/null @@ -1,141 +0,0 @@ -require 'spec_helper' -describe 'ssh::server' do - on_supported_os.each do |os, os_facts| - let(:facts) { os_facts } - - context "on #{os}" do - let :default_params do - { - ensure: 'present', - storeconfigs_enabled: true - } - end - - context 'with all defaults' do - it { is_expected.to compile.with_all_deps } - end - describe 'providing options' do - let :params do - { - options: { - 'TestString' => '/usr/bin', - 'TestBoolean' => true - } - } - end - - context 'Debian sshd_config', if: %w[Debian].include?(os_facts[:os]['Family']) do - it do - is_expected.to contain_concat__fragment('global config').with( - target: '/etc/ssh/sshd_config', - content: '# File is managed by Puppet - - AcceptEnv LANG LC_* - ChallengeResponseAuthentication no - PrintMotd no - Subsystem sftp /usr/libexec/openssh/sftp-server - TestBoolean yes - TestString /usr/bin - UsePAM yes - X11Forwarding yes - ' - # rubocop:enable EmptyLinesAroundArguments - ) - end - end - end - [{}, - { - ensure: 'latest', - storeconfigs_enabled: true - }, - { - ensure: 'present', - storeconfigs_enabled: false - }].each do |param_set| - describe "when #{param_set == {} ? 'using default' : 'specifying'} class parameters" do - let :param_hash do - default_params.merge(param_set) - end - - let :params do - param_set - end - - ['Debian'].each do |osfamily| - describe "on supported osfamily: #{osfamily}", if: %w[Debian].include?(os_facts[:os]['Family']) do - it { is_expected.to contain_class('ssh::params') } - it do - if param_hash[:ensure] == 'present' - is_expected.to contain_package('openssh-server').with_ensure('installed') - else - is_expected.to contain_package('openssh-server').with_ensure(param_hash[:ensure]) - end - end - - it do - is_expected.to contain_service('ssh').with( - 'ensure' => 'running', - 'enable' => true, - 'hasrestart' => true, - 'hasstatus' => true - ) - end - - it { is_expected.to contain_concat('/etc/ssh/sshd_config') } - it do - is_expected.to contain_concat__fragment('global config').with( - target: '/etc/ssh/sshd_config', - content: '# File is managed by Puppet - -AcceptEnv LANG LC_* -ChallengeResponseAuthentication no -PrintMotd no -Subsystem sftp /usr/lib/openssh/sftp-server -UsePAM yes -X11Forwarding yes -' - ) - end - end - describe 'on Arch', if: %w[Archlinux].include?(os_facts[:os]['Family']) do - it { is_expected.to contain_class('ssh::params') } - it do - if param_hash[:ensure] == 'present' - is_expected.to contain_package('openssh').with_ensure('installed').with(name: 'openssh') - else - is_expected.to contain_package('openssh').with_ensure(param_hash[:ensure]).with(name: 'openssh') - end - end - - it do - is_expected.to contain_service('sshd.service').with( - 'ensure' => 'running', - 'enable' => true, - 'hasrestart' => true, - 'hasstatus' => true - ) - end - - it { is_expected.to contain_concat('/etc/ssh/sshd_config') } - it do - is_expected.to contain_concat__fragment('global config').with( - target: '/etc/ssh/sshd_config', - content: '# File is managed by Puppet - -AcceptEnv LANG LC_* -ChallengeResponseAuthentication no -PrintMotd no -Subsystem sftp /usr/lib/ssh/sftp-server -UsePAM yes -X11Forwarding yes -' - ) - end - end - end - end - end - end - end -end diff --git a/spec/defines/server/match_block_spec.rb b/spec/defines/server/match_block_spec.rb index 0a258b27..75e97f4f 100644 --- a/spec/defines/server/match_block_spec.rb +++ b/spec/defines/server/match_block_spec.rb @@ -3,51 +3,42 @@ require 'spec_helper' describe 'ssh::server::match_block' do - context 'with *,!ssh_exempt_ldap_authkey,!sshlokey present' do - let(:title) { '*,!ssh_exempt_ldap_authkey,!sshlokey' } - let :pre_condition do - 'include ssh' - end - let(:params) do - { - 'type' => 'group', - 'options' => { - 'AuthorizedKeysCommand' => '/usr/local/bin/getauthkey', - 'AuthorizedKeysCommandUser' => 'nobody', - 'AuthorizedKeysFile' => '/dev/null', - }, - 'target' => '/etc/ssh/sshd_config_sftp_server', - } - end + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } + let :pre_condition do + 'include ssh' + end - on_supported_os.each do |os, os_facts| - context "on #{os}" do - let(:facts) { os_facts } + context 'with *,!ssh_exempt_ldap_authkey,!sshlokey present' do + let(:title) { '*,!ssh_exempt_ldap_authkey,!sshlokey' } + let(:params) do + { + 'type' => 'group', + 'options' => { + 'AuthorizedKeysCommand' => '/usr/local/bin/getauthkey', + 'AuthorizedKeysCommandUser' => 'nobody', + 'AuthorizedKeysFile' => '/dev/null', + }, + 'target' => '/etc/ssh/sshd_config_sftp_server', + } + end it { is_expected.to compile.with_all_deps } it { is_expected.to contain_concat__fragment('match_block *,!ssh_exempt_ldap_authkey,!sshlokey') } end - end - end - context 'with ssh_deny_pw_auth,sshdnypw' do - let(:title) { 'ssh_deny_pw_auth,sshdnypw' } - let :pre_condition do - 'include ssh' - end - let(:params) do - { - 'type' => 'group', - 'options' => { - 'KbdInteractiveAuthentication' => 'no', - 'PasswordAuthentication' => 'no', - }, - 'target' => '/etc/ssh/sshd_config_sftp_server', - } - end - - on_supported_os.each do |os, os_facts| - context "on #{os}" do - let(:facts) { os_facts } + context 'with ssh_deny_pw_auth,sshdnypw' do + let(:title) { 'ssh_deny_pw_auth,sshdnypw' } + let(:params) do + { + 'type' => 'group', + 'options' => { + 'KbdInteractiveAuthentication' => 'no', + 'PasswordAuthentication' => 'no', + }, + 'target' => '/etc/ssh/sshd_config_sftp_server', + } + end it { is_expected.to compile.with_all_deps } it { is_expected.to contain_concat__fragment('match_block ssh_deny_pw_auth,sshdnypw') } From 013ea6528b29f28c3ef22afbbc8aaeaed68e2eab Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 28 Mar 2022 12:54:28 +0200 Subject: [PATCH 160/246] Set proper default value for `$target` in `ssh::server::match_block --- manifests/server/match_block.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server/match_block.pp b/manifests/server/match_block.pp index 2ee1ad55..835badcb 100644 --- a/manifests/server/match_block.pp +++ b/manifests/server/match_block.pp @@ -7,7 +7,7 @@ Hash $options = {}, String $type = 'user', Integer $order = 50, - Stdlib::Absolutepath $target = $ssh::sshd_config, + Stdlib::Absolutepath $target = $ssh::params::sshd_config, ) { include ssh if $ssh::server::use_augeas { From 9c7d6d6653435d660ee79f030aa649cde3c83dae Mon Sep 17 00:00:00 2001 From: Simon Hoenscheid Date: Wed, 13 Apr 2022 15:10:56 +0200 Subject: [PATCH 161/246] removing old lookup funktions and deep merging where possible. Hiera takes care of that now. --- data/OpenBSD.yaml | 4 ++-- data/Solaris.yaml | 2 +- data/common.yaml | 14 ++++++++++++-- manifests/client.pp | 8 ++------ manifests/init.pp | 21 ++++----------------- manifests/server.pp | 12 +++--------- 6 files changed, 24 insertions(+), 37 deletions(-) diff --git a/data/OpenBSD.yaml b/data/OpenBSD.yaml index 74d6f03e..c4e6954d 100644 --- a/data/OpenBSD.yaml +++ b/data/OpenBSD.yaml @@ -7,14 +7,14 @@ ssh::service_name: 'sshd' ssh::sftp_server_path: '/usr/libexec/sftp-server' ssh::host_priv_key_group: 0 -ssh::sshd_default_options: +ssh::server_options: ChallengeResponseAuthentication: 'no' X11Forwarding : 'yes' PrintMotd : 'no' AcceptEnv : 'LANG LC_*' Subsystem : "sftp %{lookup('ssh::sftp_server_path')}" -ssh::ssh_default_options: +ssh::client_options: 'Host *': SendEnv: 'LANG LC_*' HashKnownHosts: 'yes' diff --git a/data/Solaris.yaml b/data/Solaris.yaml index dadf33f4..89fe5370 100644 --- a/data/Solaris.yaml +++ b/data/Solaris.yaml @@ -13,4 +13,4 @@ ssh:sshd_default_options: - "%{lookup('ssh::sshd_dir')}/ssh_host_rsa_key" - "%{lookup('ssh::sshd_dir')}/ssh_host_dsa_key" -ssh::ssh_default_options: {} +ssh::client_options: {} diff --git a/data/common.yaml b/data/common.yaml index ee5159df..dcc69a05 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -1,4 +1,14 @@ --- +lookup_options: + ssh::server_options: + merge: deep + ssh::server_match_block: + merge: deep + ssh::client_options: + merge: deep + ssh::users_client_options: + merge: deep + ssh::sshd_dir: '/etc/ssh' ssh::sshd_config: '/etc/ssh/sshd_config' ssh::ssh_config: '/etc/ssh/ssh_config' @@ -12,7 +22,7 @@ ssh::user_ssh_config_default_mode : '0600' ssh::collect_enabled : true # Collect sshkey resources ssh::issue_net : '/etc/issue.net' -ssh::sshd_default_options: +ssh::server_options: ChallengeResponseAuthentication: 'no' X11Forwarding: 'yes' PrintMotd: 'no' @@ -20,7 +30,7 @@ ssh::sshd_default_options: Subsystem: "sftp %{lookup('ssh::sftp_server_path')}" UsePAM: 'yes' -ssh::ssh_default_options: +ssh::client_options: 'Host *': SendEnv: 'LANG LC_*' HashKnownHosts: 'yes' diff --git a/manifests/client.pp b/manifests/client.pp index 759a9f49..f8f873bb 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -29,15 +29,11 @@ Array $options_absent = [], ) { assert_private() - # Merge hashes from multiple layer of hierarchy in hiera - $hiera_options = lookup("${module_name}::client::options", Optional[Hash], 'deep', {}) - - $fin_options = deep_merge($hiera_options, $options) if $use_augeas { - $merged_options = sshclient_options_to_augeas_ssh_config($fin_options, $options_absent, { 'target' => $ssh::ssh_config }) + $merged_options = sshclient_options_to_augeas_ssh_config($options, $options_absent, { 'target' => $ssh::ssh_config }) } else { - $merged_options = merge($fin_options, delete($ssh::ssh_default_options, keys($fin_options))) + $merged_options = $options } include ssh::client::install diff --git a/manifests/init.pp b/manifests/init.pp index 3edf69ce..27e2df41 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -151,8 +151,6 @@ Stdlib::Absolutepath $sshd_dir, Stdlib::Absolutepath $sshd_binary, Boolean $validate_sshd_file, - Hash $sshd_default_options, - Hash $ssh_default_options, Stdlib::Absolutepath $sshd_config, Stdlib::Absolutepath $ssh_config, Stdlib::Filemode $user_ssh_directory_default_mode, @@ -177,21 +175,10 @@ Boolean $purge_unmanaged_sshkeys = true, ) { - # Merge hashes from multiple layer of hierarchy in hiera - $hiera_server_options = lookup("${module_name}::server_options", Optional[Hash], 'deep', {}) - $hiera_server_match_block = lookup("${module_name}::server_match_block", Optional[Hash], 'deep', {}) - $hiera_client_options = lookup("${module_name}::client_options", Optional[Hash], 'deep', {}) - $hiera_users_client_options = lookup("${module_name}::users_client_options", Optional[Hash], 'deep', {}) - - $fin_server_options = deep_merge($hiera_server_options, $server_options) - $fin_server_match_block = deep_merge($hiera_server_match_block, $server_match_block) - $fin_client_options = deep_merge($hiera_client_options, $client_options) - $fin_users_client_options = deep_merge($hiera_users_client_options, $users_client_options) - class { 'ssh::server': ensure => $version, storeconfigs_enabled => $storeconfigs_enabled, - options => $fin_server_options, + options => $server_options, validate_sshd_file => $validate_sshd_file, use_augeas => $use_augeas, options_absent => $server_options_absent, @@ -201,7 +188,7 @@ class { 'ssh::client': ensure => $version, storeconfigs_enabled => $storeconfigs_enabled, - options => $fin_client_options, + options => $client_options, use_augeas => $use_augeas, options_absent => $client_options_absent, } @@ -219,6 +206,6 @@ } } - create_resources('ssh::client::config::user', $fin_users_client_options) - create_resources('ssh::server::match_block', $fin_server_match_block) + create_resources('ssh::client::config::user', $users_client_options) + create_resources('ssh::server::match_block', $server_match_block) } diff --git a/manifests/server.pp b/manifests/server.pp index a306bd64..f17e82a8 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -44,17 +44,11 @@ Boolean $use_issue_net = false ) { assert_private() - # Merge hashes from multiple layer of hierarchy in hiera - $hiera_options = lookup("${module_name}::server::options", Optional[Hash], 'deep', {}) - $hiera_match_block = lookup("${module_name}::server::match_block", Optional[Hash], 'deep', {}) - - $fin_options = deep_merge($hiera_options, $options) - $fin_match_block = deep_merge($hiera_match_block, $match_block) if $use_augeas { - $merged_options = sshserver_options_to_augeas_sshd_config($fin_options, $options_absent, { 'target' => $ssh::sshd_config }) + $merged_options = sshserver_options_to_augeas_sshd_config($options, $options_absent, { 'target' => $ssh::sshd_config }) } else { - $merged_options = deep_merge($ssh::sshd_default_options, $fin_options) + $merged_options = $options } include ssh::server::install @@ -78,5 +72,5 @@ ~> Class['ssh::server::service'] } - create_resources('ssh::server::match_block', $fin_match_block) + create_resources('ssh::server::match_block', $match_block) } From 6c27ef7caf21511fc4d48babb95d99c9a4d4c2b7 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 26 Apr 2022 10:53:56 +0200 Subject: [PATCH 162/246] fix parameter lookup --- Gemfile | 4 +- data/Amazon.yaml | 19 +- data/Archlinux.yaml | 17 +- data/Darwin.yaml | 11 +- data/Debian.yaml | 19 +- data/DragonFly.yaml | 13 +- data/FreeBSD.yaml | 13 +- data/Gentoo.yaml | 17 +- data/OpenBSD.yaml | 15 +- data/{OpenSuse.yaml => OpenSuSE.yaml} | 2 +- data/RedHat-7.yaml | 2 +- data/RedHat.yaml | 19 +- data/SLES.yaml | 2 +- data/SmartOS.yaml | 11 +- data/Solaris-10.yaml | 4 +- data/Solaris.yaml | 19 +- data/Suse.yaml | 17 +- data/common.yaml | 24 +-- lib/facter/ssh_client_version.rb | 8 +- lib/facter/ssh_server_version.rb | 6 +- lib/puppet/functions/ssh/ipaddresses.rb | 13 +- .../sshclient_options_to_augeas_ssh_config.rb | 22 +-- ...sshserver_options_to_augeas_sshd_config.rb | 22 +-- manifests/client.pp | 34 ++-- manifests/client/config.pp | 9 +- manifests/client/config/user.pp | 47 ++++- manifests/client/install.pp | 11 +- manifests/hostkeys.pp | 30 ++- manifests/init.pp | 48 ++--- manifests/knownhosts.pp | 4 +- manifests/server.pp | 57 ++++-- manifests/server/config.pp | 16 +- manifests/server/config/setting.pp | 19 +- manifests/server/host_key.pp | 84 ++++---- manifests/server/install.pp | 7 +- manifests/server/instances.pp | 47 +++-- manifests/server/match_block.pp | 22 ++- manifests/server/options.pp | 14 +- manifests/server/service.pp | 11 +- spec/acceptance/init_spec.rb | 5 + spec/classes/client_spec.rb | 39 ++++ spec/classes/init_spec.rb | 179 ++++++++++++++---- spec/classes/server_spec.rb | 97 ++++++++++ spec/defines/client/config/user_spec.rb | 2 + spec/defines/server/config/setting_spec.rb | 3 + spec/defines/server/host_key_spec.rb | 7 +- spec/defines/server/instances_spec.rb | 13 +- spec/defines/server/match_block_spec.rb | 1 + spec/functions/ssh/ipaddresses_spec.rb | 4 + spec/spec_helper.rb | 10 +- spec/spec_helper_acceptance.rb | 2 + .../util/fact_ssh_client_version_spec.rb | 6 + .../fact_ssh_server_version_major_spec.rb | 5 + .../util/fact_ssh_server_version_spec.rb | 6 + templates/sshd_config.erb | 11 +- 55 files changed, 776 insertions(+), 373 deletions(-) rename data/{OpenSuse.yaml => OpenSuSE.yaml} (61%) create mode 100644 spec/classes/client_spec.rb create mode 100644 spec/classes/server_spec.rb diff --git a/Gemfile b/Gemfile index d5753f1d..963a5e3f 100644 --- a/Gemfile +++ b/Gemfile @@ -4,7 +4,7 @@ source ENV['GEM_SOURCE'] || "https://rubygems.org" group :test do - gem 'voxpupuli-test', '~> 2.5', :require => false + gem 'voxpupuli-test', '~> 5.0', :require => false gem 'coveralls', :require => false gem 'simplecov-console', :require => false gem 'puppet_metadata', '~> 1.0', :require => false @@ -21,7 +21,7 @@ end group :release do gem 'github_changelog_generator', '>= 1.16.1', :require => false - gem 'voxpupuli-release', '>= 1.0.2', :require => false + gem 'voxpupuli-release', '>= 1.2.0', :require => false gem 'puppet-strings', '>= 2.2', :require => false end diff --git a/data/Amazon.yaml b/data/Amazon.yaml index 3869c98c..a2042c3d 100644 --- a/data/Amazon.yaml +++ b/data/Amazon.yaml @@ -1,12 +1,11 @@ --- -ssh::server_package_name: 'openssh-server' -ssh::client_package_name: 'openssh-clients' -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_binary: '/usr/sbin/sshd' -ssh::sshd_environments_file: '/etc/sysconfig/sshd' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'sshd' +ssh::server::server_package_name: 'openssh-server' +ssh::client::client_package_name: 'openssh-clients' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_binary: '/usr/sbin/sshd' +ssh::server::sshd_environments_file: '/etc/sysconfig/sshd' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'sshd' ssh::sftp_server_path: '/usr/libexec/openssh/sftp-server' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 diff --git a/data/Archlinux.yaml b/data/Archlinux.yaml index 73b6ee1a..3255fb6d 100644 --- a/data/Archlinux.yaml +++ b/data/Archlinux.yaml @@ -1,11 +1,10 @@ --- -ssh::server_package_name: 'openssh' -ssh::client_package_name: 'openssh' -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_binary: '/usr/bin/sshd' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'sshd.service' +ssh::server::server_package_name: 'openssh' +ssh::client::client_package_name: 'openssh' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_binary: '/usr/bin/sshd' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'sshd.service' ssh::sftp_server_path: '/usr/lib/ssh/sftp-server' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 diff --git a/data/Darwin.yaml b/data/Darwin.yaml index f3cff65c..5a6a4610 100644 --- a/data/Darwin.yaml +++ b/data/Darwin.yaml @@ -1,8 +1,7 @@ --- -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'com.openssh.sshd' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'com.openssh.sshd' ssh::sftp_server_path: '/usr/libexec/sftp-server' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 diff --git a/data/Debian.yaml b/data/Debian.yaml index e07e99ce..e59e67ab 100644 --- a/data/Debian.yaml +++ b/data/Debian.yaml @@ -1,12 +1,11 @@ --- -ssh::server_package_name: 'openssh-server' -ssh::client_package_name: 'openssh-client' -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_binary: '/usr/sbin/sshd' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::sshd_environments_file: '/etc/default/ssh' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'ssh' +ssh::server::server_package_name: 'openssh-server' +ssh::client::client_package_name: 'openssh-client' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_binary: '/usr/sbin/sshd' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::server::sshd_environments_file: '/etc/default/ssh' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'ssh' ssh::sftp_server_path: '/usr/lib/openssh/sftp-server' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 diff --git a/data/DragonFly.yaml b/data/DragonFly.yaml index 1c1ae476..d7d94bc4 100644 --- a/data/DragonFly.yaml +++ b/data/DragonFly.yaml @@ -1,9 +1,8 @@ --- -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_binary: '/usr/local/sbin/sshd' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'sshd' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_binary: '/usr/local/sbin/sshd' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'sshd' ssh::sftp_server_path: '/usr/libexec/sftp-server' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 diff --git a/data/FreeBSD.yaml b/data/FreeBSD.yaml index 1c1ae476..d7d94bc4 100644 --- a/data/FreeBSD.yaml +++ b/data/FreeBSD.yaml @@ -1,9 +1,8 @@ --- -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_binary: '/usr/local/sbin/sshd' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'sshd' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_binary: '/usr/local/sbin/sshd' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'sshd' ssh::sftp_server_path: '/usr/libexec/sftp-server' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 diff --git a/data/Gentoo.yaml b/data/Gentoo.yaml index e0ae775b..37014c39 100644 --- a/data/Gentoo.yaml +++ b/data/Gentoo.yaml @@ -1,11 +1,10 @@ --- -ssh::server_package_name: 'openssh' -ssh::client_package_name: 'openssh' -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_binary: '/usr/sbin/sshd' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'sshd' +ssh::server::server_package_name: 'openssh' +ssh::client::client_package_name: 'openssh' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_binary: '/usr/sbin/sshd' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'sshd' ssh::sftp_server_path: '/usr/lib64/misc/sftp-server' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 diff --git a/data/OpenBSD.yaml b/data/OpenBSD.yaml index c4e6954d..07879456 100644 --- a/data/OpenBSD.yaml +++ b/data/OpenBSD.yaml @@ -1,20 +1,19 @@ --- -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'sshd' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'sshd' ssh::sftp_server_path: '/usr/libexec/sftp-server' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 -ssh::server_options: +ssh::server::default_options: ChallengeResponseAuthentication: 'no' X11Forwarding : 'yes' PrintMotd : 'no' AcceptEnv : 'LANG LC_*' Subsystem : "sftp %{lookup('ssh::sftp_server_path')}" -ssh::client_options: +ssh::client::default_options: 'Host *': SendEnv: 'LANG LC_*' HashKnownHosts: 'yes' diff --git a/data/OpenSuse.yaml b/data/OpenSuSE.yaml similarity index 61% rename from data/OpenSuse.yaml rename to data/OpenSuSE.yaml index 054cfc3f..41400cef 100644 --- a/data/OpenSuse.yaml +++ b/data/OpenSuSE.yaml @@ -1,3 +1,3 @@ --- -ssh::service_name: 'sshd' +ssh::server::service_name: 'sshd' ssh::sftp_server_path: '/usr/lib/ssh/sftp-server' diff --git a/data/RedHat-7.yaml b/data/RedHat-7.yaml index 845f62a3..9ee7359d 100644 --- a/data/RedHat-7.yaml +++ b/data/RedHat-7.yaml @@ -1,2 +1,2 @@ --- -ssh::host_priv_key_group: 'ssh_keys' +ssh::server::host_priv_key_group: 'ssh_keys' diff --git a/data/RedHat.yaml b/data/RedHat.yaml index e93a7e92..81138ce0 100644 --- a/data/RedHat.yaml +++ b/data/RedHat.yaml @@ -1,12 +1,11 @@ --- -ssh::server_package_name: 'openssh-server' -ssh::client_package_name: 'openssh-clients' -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_binary: '/usr/sbin/sshd' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::sshd_environments_file: '/etc/sysconfig/sshd' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'sshd' +ssh::server::server_package_name: 'openssh-server' +ssh::client::client_package_name: 'openssh-clients' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_binary: '/usr/sbin/sshd' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::server::sshd_environments_file: '/etc/sysconfig/sshd' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'sshd' ssh::sftp_server_path: '/usr/libexec/openssh/sftp-server' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 diff --git a/data/SLES.yaml b/data/SLES.yaml index 054cfc3f..41400cef 100644 --- a/data/SLES.yaml +++ b/data/SLES.yaml @@ -1,3 +1,3 @@ --- -ssh::service_name: 'sshd' +ssh::server::service_name: 'sshd' ssh::sftp_server_path: '/usr/lib/ssh/sftp-server' diff --git a/data/SmartOS.yaml b/data/SmartOS.yaml index 91ddccdd..d9625d4c 100644 --- a/data/SmartOS.yaml +++ b/data/SmartOS.yaml @@ -1,8 +1,7 @@ --- -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'svc:/network/ssh:default' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'svc:/network/ssh:default' ssh::sftp_server_path: 'internal-sftp' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 diff --git a/data/Solaris-10.yaml b/data/Solaris-10.yaml index 35a59395..29b5d713 100644 --- a/data/Solaris-10.yaml +++ b/data/Solaris-10.yaml @@ -1,3 +1,3 @@ --- -ssh::server_package_name: 'SUNWsshdu' -ssh::client_package_name: 'SUNWsshu' +ssh::server::server_package_name: 'SUNWsshdu' +ssh::client::client_package_name: 'SUNWsshu' diff --git a/data/Solaris.yaml b/data/Solaris.yaml index 89fe5370..1c35486c 100644 --- a/data/Solaris.yaml +++ b/data/Solaris.yaml @@ -1,16 +1,17 @@ --- -ssh::server_package_name: '/service/network/ssh' -ssh::client_package_name: '/network/ssh' -ssh::sshd_binary: '/lib/svc/method/sshd' -ssh::ssh::service_name: 'svc:/network/ssh:default' +ssh::server::server_package_name: '/service/network/ssh' +ssh::client::client_package_name: '/network/ssh' +ssh::server::sshd_binary: '/lib/svc/method/sshd' +ssh::server::service_name: 'svc:/network/ssh:default' +ssh::sftp_server_path: 'internal-sftp' -ssh:sshd_default_options: +ssh::server::default_options: ChallengeResponseAuthentication: 'no' X11Forwarding: 'yes' PrintMotd: 'no' Subsystem: "sftp %{lookup('ssh::sftp_server_path')}" HostKey: - - "%{lookup('ssh::sshd_dir')}/ssh_host_rsa_key" - - "%{lookup('ssh::sshd_dir')}/ssh_host_dsa_key" - -ssh::client_options: {} + - "%{lookup('ssh::server::sshd_dir')}/ssh_host_rsa_key" + - "%{lookup('ssh::server::sshd_dir')}/ssh_host_dsa_key" + +ssh::client::default_options: {} diff --git a/data/Suse.yaml b/data/Suse.yaml index bdd1fd13..30639fa7 100644 --- a/data/Suse.yaml +++ b/data/Suse.yaml @@ -1,10 +1,9 @@ --- -ssh::server_package_name: 'openssh' -ssh::client_package_name: 'openssh' -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_binary: '/usr/sbin/sshd' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::sshd_environments_file: '/etc/sysconfig/ssh' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::host_priv_key_group: 0 +ssh::server::server_package_name: 'openssh' +ssh::client::client_package_name: 'openssh' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_binary: '/usr/sbin/sshd' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::server::sshd_environments_file: '/etc/sysconfig/ssh' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::host_priv_key_group: 0 diff --git a/data/common.yaml b/data/common.yaml index dcc69a05..51bc808d 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -8,21 +8,23 @@ lookup_options: merge: deep ssh::users_client_options: merge: deep + ssh::server::options: + merge: deep + ssh::client::options: + merge: deep -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'svc:/network/ssh:default' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'svc:/network/ssh:default' ssh::sftp_server_path: 'internal-sftp' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 ssh::validate_sshd_file : false -ssh::user_ssh_directory_default_mode: '0700' -ssh::user_ssh_config_default_mode : '0600' ssh::collect_enabled : true # Collect sshkey resources -ssh::issue_net : '/etc/issue.net' +ssh::server::issue_net : '/etc/issue.net' +ssh::knownhosts::collect_enabled : true -ssh::server_options: +ssh::server::default_options: ChallengeResponseAuthentication: 'no' X11Forwarding: 'yes' PrintMotd: 'no' @@ -30,7 +32,7 @@ ssh::server_options: Subsystem: "sftp %{lookup('ssh::sftp_server_path')}" UsePAM: 'yes' -ssh::client_options: +ssh::client::default_options: 'Host *': SendEnv: 'LANG LC_*' HashKnownHosts: 'yes' diff --git a/lib/facter/ssh_client_version.rb b/lib/facter/ssh_client_version.rb index 92dadab6..70a3da52 100644 --- a/lib/facter/ssh_client_version.rb +++ b/lib/facter/ssh_client_version.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + Facter.add('ssh_client_version_full') do confine kernel: %w[Linux SunOS FreeBSD DragonFly Darwin] @@ -10,7 +12,7 @@ first. rstrip - version.gsub(%r{^(OpenSSH_|Sun_SSH_)([^ ,]+).*$}, '\2') unless version.nil? + version&.gsub(%r{^(OpenSSH_|Sun_SSH_)([^ ,]+).*$}, '\2') end end end @@ -21,7 +23,7 @@ setcode do version = Facter.value('ssh_client_version_full') - version.gsub(%r{^([0-9]+\.[0-9]+).*$}, '\1') unless version.nil? + version&.gsub(%r{^([0-9]+\.[0-9]+).*$}, '\1') end end @@ -31,6 +33,6 @@ setcode do version = Facter.value('ssh_client_version_full') - version.gsub(%r{^([0-9]+\.[0-9]+(?:\.[0-9]+)?).*$}, '\1') unless version.nil? + version&.gsub(%r{^([0-9]+\.[0-9]+(?:\.[0-9]+)?).*$}, '\1') end end diff --git a/lib/facter/ssh_server_version.rb b/lib/facter/ssh_server_version.rb index e04cfda2..7c31d560 100644 --- a/lib/facter/ssh_server_version.rb +++ b/lib/facter/ssh_server_version.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + Facter.add('ssh_server_version_full') do confine kernel: %w[Linux SunOS FreeBSD DragonFly Darwin] @@ -13,7 +15,7 @@ first. rstrip - version.gsub(%r{^(OpenSSH_|Sun_SSH_)([^ ,]+).*$}, '\2') unless version.nil? + version&.gsub(%r{^(OpenSSH_|Sun_SSH_)([^ ,]+).*$}, '\2') end end end @@ -40,6 +42,6 @@ setcode do version = Facter.value('ssh_server_version_full') - version.gsub(%r{^([0-9]+\.[0-9]+(?:\.[0-9]+)?).*$}, '\1') unless version.nil? + version&.gsub(%r{^([0-9]+\.[0-9]+(?:\.[0-9]+)?).*$}, '\1') end end diff --git a/lib/puppet/functions/ssh/ipaddresses.rb b/lib/puppet/functions/ssh/ipaddresses.rb index 82ea2487..01f6a6de 100644 --- a/lib/puppet/functions/ssh/ipaddresses.rb +++ b/lib/puppet/functions/ssh/ipaddresses.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + # @summary Returns ip addresses of network interfaces (except lo) found by facter. # @api private # @@ -23,13 +25,10 @@ def ipaddresses(excluded_interfaces = []) interfaces = {} facts['interfaces'].split(',').each do |iface| next if facts["ipaddress_#{iface}"].nil? && facts["ipaddress6_#{iface}"].nil? + interfaces[iface] = {} - if !facts["ipaddress_#{iface}"].nil? && !facts["ipaddress_#{iface}"].empty? - interfaces[iface]['bindings'] = [{ 'address' => facts["ipaddress_#{iface}"] }] - end - if !facts["ipaddress6_#{iface}"].nil? && !facts["ipaddress6_#{iface}"].empty? - interfaces[iface]['bindings6'] = [{ 'address' => facts["ipaddress6_#{iface}"] }] - end + interfaces[iface]['bindings'] = [{ 'address' => facts["ipaddress_#{iface}"] }] if !facts["ipaddress_#{iface}"].nil? && !facts["ipaddress_#{iface}"].empty? + interfaces[iface]['bindings6'] = [{ 'address' => facts["ipaddress6_#{iface}"] }] if !facts["ipaddress6_#{iface}"].nil? && !facts["ipaddress6_#{iface}"].empty? end end @@ -40,8 +39,10 @@ def ipaddresses(excluded_interfaces = []) %w[bindings bindings6].each do |binding_type| next unless data.key?(binding_type) + data[binding_type].each do |binding| next unless binding.key?('address') + result << binding['address'] end end diff --git a/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb b/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb index cd9a6e5d..01c1a1f4 100644 --- a/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb +++ b/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + module Puppet::Parser::Functions newfunction(:sshclient_options_to_augeas_ssh_config, type: :rvalue, doc: <<-'DOC') do |args| This function will convert a key-value hash to a format understandable by the augeas sshd_config provider @@ -66,27 +68,15 @@ module Puppet::Parser::Functions DOC - if args.empty? - raise Puppet::ParseError, 'sshclient_options_to_augeas_ssh_config: expects at least one argument' - end + raise Puppet::ParseError, 'sshclient_options_to_augeas_ssh_config: expects at least one argument' if args.empty? options = args[0] - unless options.is_a?(Hash) - raise Puppet::ParseError, 'sshclient_options_to_augeas_ssh_config: first argument must be a hash' - end + raise Puppet::ParseError, 'sshclient_options_to_augeas_ssh_config: first argument must be a hash' unless options.is_a?(Hash) options_absent = args[1] if args[1] other_parameters = args[2] if args[2] - if options_absent - unless options_absent.is_a?(Array) || options_absent.is_a?(String) - raise Puppet::ParseError, 'sshclient_options_to_augeas_ssh_config: second argument, if supplied, must be an array or a string' - end - end - if other_parameters - unless other_parameters.is_a?(Hash) - raise Puppet::ParseError, 'sshclient_options_to_augeas_ssh_config: third argument, if supplied, must be a hash' - end - end + raise Puppet::ParseError, 'sshclient_options_to_augeas_ssh_config: second argument, if supplied, must be an array or a string' if options_absent && !(options_absent.is_a?(Array) || options_absent.is_a?(String)) + raise Puppet::ParseError, 'sshclient_options_to_augeas_ssh_config: third argument, if supplied, must be a hash' if other_parameters && !other_parameters.is_a?(Hash) options_final_augeas = {} options.each do |key1, value1| diff --git a/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb b/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb index c34a253b..39a67812 100644 --- a/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb +++ b/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + module Puppet::Parser::Functions newfunction(:sshserver_options_to_augeas_sshd_config, type: :rvalue, doc: <<-'DOC') do |args| This function will convert a key-value hash to a format understandable by the augeas sshd_config provider @@ -76,27 +78,15 @@ module Puppet::Parser::Functions DOC - if args.empty? - raise Puppet::ParseError, 'sshserver_options_to_augeas_sshd_config: expects at least one argument' - end + raise Puppet::ParseError, 'sshserver_options_to_augeas_sshd_config: expects at least one argument' if args.empty? options = args[0] - unless options.is_a?(Hash) - raise Puppet::ParseError, 'sshserver_options_to_augeas_sshd_config: first argument must be a hash' - end + raise Puppet::ParseError, 'sshserver_options_to_augeas_sshd_config: first argument must be a hash' unless options.is_a?(Hash) options_absent = args[1] if args[1] other_parameters = args[2] if args[2] - if options_absent - unless options_absent.is_a?(Array) || options_absent.is_a?(String) - raise Puppet::ParseError, 'sshserver_options_to_augeas_sshd_config: second argument, if supplied, must be an array or a string' - end - end - if other_parameters - unless other_parameters.is_a?(Hash) - raise Puppet::ParseError, 'sshserver_options_to_augeas_sshd_config: third argument, if supplied, must be a hash' - end - end + raise Puppet::ParseError, 'sshserver_options_to_augeas_sshd_config: second argument, if supplied, must be an array or a string' if options_absent && !(options_absent.is_a?(Array) || options_absent.is_a?(String)) + raise Puppet::ParseError, 'sshserver_options_to_augeas_sshd_config: third argument, if supplied, must be a hash' if other_parameters && !other_parameters.is_a?(Hash) options_final_augeas = {} options.each do |key1, value1| diff --git a/manifests/client.pp b/manifests/client.pp index f8f873bb..5c942fdf 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,4 +1,3 @@ -# @api private # @summary # This class add ssh client management # @@ -9,6 +8,12 @@ # use_augeas => false, # } # +# @param ssh_config +# Path to ssh client config file +# +# @param client_package_name +# Name of the client package +# # @param ensure # Ensurable param to ssh client # @@ -16,24 +21,31 @@ # Collected host keys from servers will be written to known_hosts unless storeconfigs_enabled is false # # @param options -# Dynamic hash for openssh client options +# SSH client options, will be deep_merged with default_options. This parameter takes precedence over default_options +# +# @param use_augeas +# Use augeas to configure ssh client # # @param options_absent # Remove options (with augeas style) # +# @param default_options +# Default options to set, will be merged with options parameter +# class ssh::client ( - String $ensure = present, - Boolean $storeconfigs_enabled = true, - Hash $options = {}, - Boolean $use_augeas = false, - Array $options_absent = [], + Stdlib::Absolutepath $ssh_config, + Hash $default_options, + Optional[String[1]] $client_package_name = undef, + String $ensure = present, + Boolean $storeconfigs_enabled = true, + Hash $options = {}, + Boolean $use_augeas = false, + Array $options_absent = [], ) { - assert_private() - if $use_augeas { - $merged_options = sshclient_options_to_augeas_ssh_config($options, $options_absent, { 'target' => $ssh::ssh_config }) + $merged_options = sshclient_options_to_augeas_ssh_config($options, $options_absent, { 'target' => $ssh_config }) } else { - $merged_options = $options + $merged_options = deep_merge($options, delete($default_options, keys($options))) } include ssh::client::install diff --git a/manifests/client/config.pp b/manifests/client/config.pp index 83be373d..947cd4f1 100644 --- a/manifests/client/config.pp +++ b/manifests/client/config.pp @@ -1,11 +1,18 @@ +# @summary +# Manages ssh configuration +# +# @api private +# class ssh::client::config { + assert_private() + $options = $ssh::client::merged_options $use_augeas = $ssh::client::use_augeas if $use_augeas { create_resources('ssh_config', $options) } else { - file { $ssh::ssh_config: + file { $ssh::client::ssh_config: ensure => file, owner => '0', group => '0', diff --git a/manifests/client/config/user.pp b/manifests/client/config/user.pp index c53ed8d7..a9425b05 100644 --- a/manifests/client/config/user.pp +++ b/manifests/client/config/user.pp @@ -3,15 +3,44 @@ # Contributor: Remi Ferrand (2015) # Contributor: Tim Meusel (2017) # +# @summary +# This defined type manages a users ssh config +# +# @param ensure +# Specifies whether the config file should be present or absent +# +# @param target +# Sets the config file location, defaults to `~/.ssh/config` if $target and $user_home_dir are not set +# +# @param user_home_dir +# Sets the location of users home dir, defaults to `/home/$user` +# +# @param manage_user_ssh_dir +# Whether the users ssh dir should be managed or not +# +# @param options +# Options which should be set +# +# @param user +# The name of the user the config should be managed for +# +# @param ssh_directory_default_mode +# Default mode for the users ssh dir +# +# @param ssh_config_default_mode +# Default mode for the ssh config file +# define ssh::client::config::user ( - Enum['present', 'absent'] $ensure = present, - Optional[Stdlib::Absolutepath] $target = undef, - Optional[Stdlib::Absolutepath] $user_home_dir = undef, - Boolean $manage_user_ssh_dir = true, - Hash $options = {}, - String[1] $user = $name, + Enum['present', 'absent'] $ensure = present, + Optional[Stdlib::Absolutepath] $target = undef, + Optional[Stdlib::Absolutepath] $user_home_dir = undef, + Boolean $manage_user_ssh_dir = true, + Hash $options = {}, + String[1] $user = $name, + String[1] $ssh_directory_default_mode = '0700', + String[1] $ssh_config_default_mode = '0600', ) { - include ssh + include ssh::client # If a specific target file was specified, # it must have higher priority than any @@ -33,7 +62,7 @@ file { $user_ssh_dir: ensure => directory, owner => $user, - mode => $ssh::user_ssh_directory_default_mode, + mode => $ssh_directory_default_mode, before => Concat_file[$_target], } } @@ -44,7 +73,7 @@ concat_file { $_target: ensure => $ensure, owner => $user, - mode => $ssh::user_ssh_config_default_mode, + mode => $ssh_config_default_mode, tag => $name, } } diff --git a/manifests/client/install.pp b/manifests/client/install.pp index d9f83dff..379cea2e 100644 --- a/manifests/client/install.pp +++ b/manifests/client/install.pp @@ -1,7 +1,14 @@ +# @summary +# Install ssh client package +# +# @api private +# class ssh::client::install { - if $ssh::client_package_name { + assert_private() + + if $ssh::client::client_package_name { ensure_packages([ - $ssh::client_package_name, + $ssh::client::client_package_name, ], { 'ensure' => $ssh::client::ensure, }) diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index 6a189812..0d66c85e 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -1,13 +1,31 @@ # @summary # This class manages hostkeys # +# @param export_ipaddresses +# Whether ip addresses should be added as aliases +# +# @param storeconfigs_group +# Tag hostkeys with this group to allow segregation +# +# @param extra_aliases +# Additional aliases to set for host keys +# +# @param exclude_interfaces +# List of interfaces to exclude +# +# @param exclude_ipaddresses +# List of ip addresses to exclude +# +# @param use_trusted_facts +# Whether to use trusted or normal facts +# class ssh::hostkeys ( - Boolean $export_ipaddresses = true, - Optional[String] $storeconfigs_group = undef, - Array $extra_aliases = [], - Array $exclude_interfaces = [], - Array $exclude_ipaddresses = [], - Boolean $use_trusted_facts = false, + Boolean $export_ipaddresses = true, + Optional[String[1]] $storeconfigs_group = undef, + Array $extra_aliases = [], + Array $exclude_interfaces = [], + Array $exclude_ipaddresses = [], + Boolean $use_trusted_facts = false, ) { if $use_trusted_facts { $fqdn_real = $trusted['certname'] diff --git a/manifests/init.pp b/manifests/init.pp index 27e2df41..3f062b26 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -111,9 +111,6 @@ # AuthorizedKeysFile: '/dev/null' # # -# @server_instances -# Configure SSH instances -# # @param server_options # Add dynamic options for ssh server config # @@ -147,33 +144,26 @@ # @param use_issue_net # Use issue_net header # +# @param purge_unmanaged_sshkeys +# Purge unmanaged sshkeys +# +# @param server_instances +# Configure SSH instances +# class ssh ( - Stdlib::Absolutepath $sshd_dir, - Stdlib::Absolutepath $sshd_binary, - Boolean $validate_sshd_file, - Stdlib::Absolutepath $sshd_config, - Stdlib::Absolutepath $ssh_config, - Stdlib::Filemode $user_ssh_directory_default_mode, - Stdlib::Filemode $user_ssh_config_default_mode, - Integer $host_priv_key_group, - String $service_name, - Boolean $collect_enabled, - Optional[Stdlib::Absolutepath] $sshd_environments_file = undef, - Optional[String] $server_package_name = undef, - Optional[String] $client_package_name = undef, - Hash[String[1],Hash[String[1],NotUndef]] $server_instances = {}, - Hash $server_options = {}, - Hash $server_match_block = {}, - Hash $client_options = {}, - Hash $users_client_options = {}, - String $version = 'present', - Boolean $storeconfigs_enabled = true, - Boolean $use_augeas = false, - Array $server_options_absent = [], - Array $client_options_absent = [], - Boolean $use_issue_net = false, - Boolean $purge_unmanaged_sshkeys = true, - + Optional[Hash] $server_options = undef, + Hash $server_match_block = {}, + Optional[Hash] $client_options = undef, + Hash $users_client_options = {}, + String $version = 'present', + Boolean $storeconfigs_enabled = true, + Boolean $validate_sshd_file = false, + Boolean $use_augeas = false, + Array $server_options_absent = [], + Array $client_options_absent = [], + Boolean $use_issue_net = false, + Boolean $purge_unmanaged_sshkeys = true, + Hash[String[1],Hash[String[1],NotUndef]] $server_instances = {}, ) { class { 'ssh::server': ensure => $version, diff --git a/manifests/knownhosts.pp b/manifests/knownhosts.pp index eed301df..3cd113e1 100644 --- a/manifests/knownhosts.pp +++ b/manifests/knownhosts.pp @@ -8,8 +8,8 @@ # Define the hostkeys group storage # class ssh::knownhosts ( - Boolean $collect_enabled = $ssh::collect_enabled, - Optional[String] $storeconfigs_group = undef, + Boolean $collect_enabled = $ssh::knownhosts::collect_enabled, + Optional[String[1]] $storeconfigs_group = undef, ) { if ($collect_enabled) { if $storeconfigs_group { diff --git a/manifests/server.pp b/manifests/server.pp index f17e82a8..04946faa 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,4 +1,3 @@ -# @api private # @summary # This class managed ssh server # @@ -9,6 +8,24 @@ # use_issue_net => false, # } # +# @param service_name +# Name of the sshd service +# +# @param sshd_config +# Path to the sshd_config file +# +# @param sshd_dir +# Path to the sshd dir (e.g. /etc/ssh) +# +# @param sshd_binary +# Path to the sshd binary +# +# @param host_priv_key_group +# Name of the group for the private host key +# +# @param default_options +# Default options to set, will be merged with options parameter +# # @param ensure # Ensurable param to ssh server # @@ -30,25 +47,37 @@ # @param match_block # Add sshd match_block (with concat) # -# @use_issue_net +# @param use_issue_net # Add issue_net banner # +# @param sshd_environments_file +# Path to a sshd environments file (e.g. /etc/defaults/ssh on Debian) +# +# @param server_package_name +# Name of the server package to install +# class ssh::server ( - String $ensure = present, - Boolean $storeconfigs_enabled = true, - Hash $options = {}, - Boolean $validate_sshd_file = false, - Boolean $use_augeas = false, - Array $options_absent = [], - Hash $match_block = {}, - Boolean $use_issue_net = false + String[1] $service_name, + Stdlib::Absolutepath $sshd_config, + Stdlib::Absolutepath $sshd_dir, + Stdlib::Absolutepath $sshd_binary, + Integer $host_priv_key_group, + Hash $default_options, + Enum[present,absent] $ensure = present, + Boolean $storeconfigs_enabled = true, + Hash $options = {}, + Boolean $validate_sshd_file = false, + Boolean $use_augeas = false, + Array $options_absent = [], + Hash $match_block = {}, + Boolean $use_issue_net = false, + Optional[Stdlib::Absolutepath] $sshd_environments_file = undef, + Optional[String[1]] $server_package_name = undef, ) { - assert_private() - if $use_augeas { - $merged_options = sshserver_options_to_augeas_sshd_config($options, $options_absent, { 'target' => $ssh::sshd_config }) + $merged_options = sshserver_options_to_augeas_sshd_config($options, $options_absent, { 'target' => $ssh::server::sshd_config }) } else { - $merged_options = $options + $merged_options = deep_merge($default_options, $options) } include ssh::server::install diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 600de0af..cc632eff 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -4,6 +4,8 @@ # @api private # class ssh::server::config { + assert_private() + $options = $ssh::server::merged_options case $ssh::server::validate_sshd_file { @@ -18,35 +20,35 @@ if $ssh::server::use_augeas { create_resources('sshd_config', $options) } else { - concat { $ssh::sshd_config: + concat { $ssh::server::sshd_config: ensure => present, owner => 0, group => 0, mode => '0600', validate_cmd => $sshd_validate_cmd, - notify => Service[$ssh::service_name], + notify => Service[$ssh::server::service_name], } concat::fragment { 'global config': - target => $ssh::sshd_config, + target => $ssh::server::sshd_config, content => template("${module_name}/sshd_config.erb"), order => '00', } } if $ssh::server::use_issue_net { - file { $ssh::issue_net: + file { $ssh::server::issue_net: ensure => file, owner => 0, group => 0, mode => '0644', content => template("${module_name}/issue.net.erb"), - notify => Service[$ssh::service_name], + notify => Service[$ssh::server::service_name], } concat::fragment { 'banner file': - target => $ssh::sshd_config, - content => "Banner ${ssh::issue_net}\n", + target => $ssh::server::sshd_config, + content => "Banner ${ssh::server::issue_net}\n", order => '01', } } diff --git a/manifests/server/config/setting.pp b/manifests/server/config/setting.pp index 4a3d8455..4df78789 100644 --- a/manifests/server/config/setting.pp +++ b/manifests/server/config/setting.pp @@ -1,14 +1,21 @@ # @summary # Internal define to managed ssh server param # -# @api private +# @param key +# Key of the value which should be set +# +# @param value +# Value which should be set +# +# @param order +# Orders your setting within the config file # define ssh::server::config::setting ( - $key, - $value, - $order = '10' + String[1] $key, + Variant[Boolean, Array, Hash, String] $value, + Variant[String[1], Integer] $order = '10' ) { - include ssh + include ssh::server if is_bool($value) { $real_value = $value ? { @@ -25,7 +32,7 @@ } concat::fragment { "ssh_setting_${name}_${key}": - target => $ssh::sshd_config, + target => $ssh::server::sshd_config, content => "\n# added by Ssh::Server::Config::Setting[${name}]\n${key} ${real_value}\n", order => $order, } diff --git a/manifests/server/host_key.pp b/manifests/server/host_key.pp index 40b886c4..d0ceb7b2 100644 --- a/manifests/server/host_key.pp +++ b/manifests/server/host_key.pp @@ -1,84 +1,86 @@ -# == Define: ssh::server::host_key +# @summary +# Manage a ssh host key # -# This module install a ssh host key in the server (basically, it is -# a file resource but it also notifies to the ssh service) +# This module install a ssh host key in the server (basically, it is +# a file resource but it also notifies to the ssh service) # -# Important! This define does not modify any option in sshd_config, so -# you have to manually define the HostKey option in the server options -# if you haven't done yet. +# Important! This define does not modify any option in sshd_config, so +# you have to manually define the HostKey option in the server options +# if you haven't done yet. # -# == Parameters -# -# [*ensure*] +# @param ensure # Set to 'absent' to remove host_key files # -# [*public_key_source*] +# @param public_key_source # Sets the content of the source parameter for the public key file # Note public_key_source and public_key_content are mutually exclusive. # -# [*public_key_content*] +# @param public_key_content # Sets the content for the public key file. # Note public_key_source and public_key_content are mutually exclusive. # -# [*private_key_source*] +# @param private_key_source # Sets the content of the source parameter for the private key file # Note private_key_source and private_key_content are mutually exclusive. # -# [*private_key_content*] +# @param private_key_content # Sets the content for the private key file. # Note private_key_source and private_key_content are mutually exclusive. # -# [*certificate_source*] +# @param certificate_source # Sets the content of the source parameter for the host key certificate. # Note certificate_source and certificate_content are mutually exclusive. # -# [*certificate_content*] +# @param certificate_content # Sets the content for the host key certificate. # Note certificate_source and certificate_content are mutually exclusive. # define ssh::server::host_key ( - $ensure = 'present', - $public_key_source = '', - $public_key_content = '', - $private_key_source = '', - $private_key_content = '', - $certificate_source = '', - $certificate_content = '', + Enum[present, absent] $ensure = 'present', + Optional[String[1]] $public_key_source = undef, + Optional[String[1]] $public_key_content = undef, + Optional[String[1]] $private_key_source = undef, + Optional[String[1]] $private_key_content = undef, + Optional[String[1]] $certificate_source = undef, + Optional[String[1]] $certificate_content = undef, ) { # Ensure the ssh::server class is included in the manifest include ssh::server - if $public_key_source == '' and $public_key_content == '' and $ensure == 'present' { - fail('You must provide either public_key_source or public_key_content parameter') - } - if $private_key_source == '' and $private_key_content == '' and $ensure == 'present' { - fail('You must provide either private_key_source or private_key_content parameter') + if $ensure == 'present' { + if ! $public_key_source and ! $public_key_content { + fail('You must provide either public_key_source or public_key_content parameter') + } + + if ! $private_key_source and ! $private_key_content { + fail('You must provide either private_key_source or private_key_content parameter') + } } $manage_pub_key_content = $public_key_source ? { - '' => $public_key_content, + undef => $public_key_content, default => undef, } $manage_pub_key_source = $public_key_source ? { - '' => undef, + undef => undef, default => $public_key_source, } $manage_priv_key_content = $private_key_source ? { - '' => $private_key_content, + undef => $private_key_content, default => undef, } $manage_priv_key_source = $private_key_source ? { - '' => undef, + undef => undef, default => $private_key_source, } $manage_cert_content = $certificate_source ? { - '' => $certificate_content, + undef => $certificate_content, default => undef, } $manage_cert_source = $certificate_source ? { - '' => undef, + undef => undef, default => $certificate_source, } @@ -88,7 +90,7 @@ owner => 0, group => 0, mode => '0644', - path => "${ssh::sshd_dir}/${name}.pub", + path => "${ssh::server::sshd_dir}/${name}.pub", source => $manage_pub_key_source, content => $manage_pub_key_content, notify => Class['ssh::server::service'], @@ -97,9 +99,9 @@ file { "${name}_priv": ensure => $ensure, owner => 0, - group => $ssh::host_priv_key_group, + group => $ssh::server::host_priv_key_group, mode => '0600', - path => "${ssh::sshd_dir}/${name}", + path => "${ssh::server::sshd_dir}/${name}", source => $manage_priv_key_source, content => $manage_priv_key_content, show_diff => false, @@ -111,16 +113,16 @@ owner => 0, group => 0, mode => '0644', - path => "${ssh::sshd_dir}/${name}.pub", + path => "${ssh::server::sshd_dir}/${name}.pub", notify => Class['ssh::server::service'], } file { "${name}_priv": ensure => $ensure, owner => 0, - group => $ssh::host_priv_key_group, + group => $ssh::server::host_priv_key_group, mode => '0600', - path => "${ssh::sshd_dir}/${name}", + path => "${ssh::server::sshd_dir}/${name}", show_diff => false, notify => Class['ssh::server::service'], } @@ -133,7 +135,7 @@ owner => 0, group => 0, mode => '0644', - path => "${ssh::sshd_dir}/${name}-cert.pub", + path => "${ssh::server::sshd_dir}/${name}-cert.pub", source => $manage_cert_source, content => $manage_cert_content, notify => Class['ssh::server::service'], @@ -144,7 +146,7 @@ owner => 0, group => 0, mode => '0644', - path => "${ssh::sshd_dir}/${name}-cert.pub", + path => "${ssh::server::sshd_dir}/${name}-cert.pub", notify => Class['ssh::server::service'], } } diff --git a/manifests/server/install.pp b/manifests/server/install.pp index eed5802e..f32c3657 100644 --- a/manifests/server/install.pp +++ b/manifests/server/install.pp @@ -4,10 +4,11 @@ # @api private # class ssh::server::install { - include ssh - if $ssh::server_package_name { + assert_private() + + if $ssh::server::server_package_name { ensure_packages ([ - $ssh::server_package_name, + $ssh::server::server_package_name, ], { 'ensure' => $ssh::server::ensure, }) diff --git a/manifests/server/instances.pp b/manifests/server/instances.pp index cb0b1f2f..72653326 100644 --- a/manifests/server/instances.pp +++ b/manifests/server/instances.pp @@ -1,22 +1,41 @@ -# @summary A short summary of the purpose of this defined type. +# @summary +# Configure separate ssh server instances # -# A description of what this defined type does +# @param ensure +# Specifies whether the instance should be added or removed # -# @options -# Structure see main class +# @param options +# Set options for the instance +# +# @param service_ensure +# Whether this instance service should be running or stopped +# +# @param service_enable +# Whether this instance service should be started at boot +# +# @param validate_config_file +# Validate config file before applying +# +# @param sshd_instance_config_file +# Path of the instance sshd config +# +# @param sshd_binary +# Path to sshd binary +# +# @param sshd_environments_file +# Path to environments file, if any # -# ssh::instances { 'namevar': } define ssh::server::instances ( - Enum[present, absent] $ensure = present, - Hash $options = {}, - Stdlib::Ensure::Service $service_ensure = 'running', - Boolean $service_enable = true, - Boolean $validate_config_file = false, - Stdlib::Absolutepath $sshd_instance_config_file = "${ssh::sshd_dir}/sshd_config.${title}", - Stdlib::Absolutepath $sshd_binary = $ssh::sshd_binary, - Optional[Stdlib::Absolutepath] $sshd_environments_file = $ssh::sshd_environments_file, + Enum[present, absent] $ensure = present, + Hash $options = {}, + Stdlib::Ensure::Service $service_ensure = 'running', + Boolean $service_enable = true, + Boolean $validate_config_file = false, + Stdlib::Absolutepath $sshd_instance_config_file = "${ssh::server::sshd_dir}/sshd_config.${title}", + Stdlib::Absolutepath $sshd_binary = $ssh::server::sshd_binary, + Optional[Stdlib::Absolutepath] $sshd_environments_file = $ssh::server::sshd_environments_file, ) { - include ssh + include ssh::server $sshd_instance_config = assert_type(Hash, pick($options['sshd_config'], {})) $sshd_instance_matchblocks = assert_type(Hash, pick($options['match_blocks'], {})) diff --git a/manifests/server/match_block.pp b/manifests/server/match_block.pp index a883527c..2a80b4ff 100644 --- a/manifests/server/match_block.pp +++ b/manifests/server/match_block.pp @@ -1,11 +1,23 @@ # @summary -# Add match_block to ssh server config (concat needed) +# Add match_block to ssh server config +# +# @param options +# Options which should be set +# +# @param type +# Type of match_block, e.g. user, group, host, ... +# +# @param order +# Orders your settings within the config file +# +# @param target +# Sets the target file of the concat fragment # define ssh::server::match_block ( - Hash $options = {}, - String $type = 'user', - Integer $order = 50, - Stdlib::Absolutepath $target = $ssh::params::sshd_config, + Hash $options = {}, + String[1] $type = 'user', + Integer $order = 50, + Stdlib::Absolutepath $target = $ssh::server::sshd_config, ) { if $ssh::server::use_augeas { fail('ssh::server::match_block() define not supported with use_augeas = true') diff --git a/manifests/server/options.pp b/manifests/server/options.pp index d4e0e548..ce687c08 100644 --- a/manifests/server/options.pp +++ b/manifests/server/options.pp @@ -1,14 +1,18 @@ # @summary -# Managed ssh server options +# This defined type manages ssh server options # -# @api private +# @param options +# Options which should be set +# +# @param order +# Orders your settings within the config file # define ssh::server::options ( - Hash $options = {}, - Integer $order = 50 + Hash $options = {}, + Integer $order = 50 ) { concat::fragment { "options ${name}": - target => $ssh::sshd_config, + target => $ssh::server::sshd_config, content => template("${module_name}/options.erb"), order => 100+$order, } diff --git a/manifests/server/service.pp b/manifests/server/service.pp index a668cc6f..990ec3cd 100644 --- a/manifests/server/service.pp +++ b/manifests/server/service.pp @@ -1,6 +1,8 @@ # @summary # This class managed ssh server service # +# @api private +# # @param ensure # Ensurable service param # @@ -8,13 +10,12 @@ # Define if service is enable # class ssh::server::service ( - String $ensure = 'running', - Boolean $enable = true + Stdlib::Ensure::Service $ensure = 'running', + Boolean $enable = true, ) { - include ssh - include ssh::server + assert_private() - service { $ssh::service_name: + service { $ssh::server::service_name: ensure => $ssh::server::service::ensure, hasstatus => true, hasrestart => true, diff --git a/spec/acceptance/init_spec.rb b/spec/acceptance/init_spec.rb index 7808cc7f..b8a1e443 100644 --- a/spec/acceptance/init_spec.rb +++ b/spec/acceptance/init_spec.rb @@ -18,15 +18,18 @@ describe package(package_name) do it { is_expected.to be_installed } end + describe port(22) do it { is_expected.to be_listening } end + describe service('sshd') do it { is_expected.to be_enabled } it { is_expected.to be_running } end end end + context 'Server with a seperate sftp_server_init instance on Port 8022' do it_behaves_like 'an idempotent resource' do let(:manifest) do @@ -57,9 +60,11 @@ class { 'ssh': describe package(package_name) do it { is_expected.to be_installed } end + describe port(8022) do it { is_expected.to be_listening } end + describe service('sftp_server_init') do it { is_expected.to be_enabled } it { is_expected.to be_running } diff --git a/spec/classes/client_spec.rb b/spec/classes/client_spec.rb new file mode 100644 index 00000000..c30ec1bb --- /dev/null +++ b/spec/classes/client_spec.rb @@ -0,0 +1,39 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'ssh::client', type: 'class' do + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } + + context 'with no other parameters' do + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('ssh::knownhosts') } + it { is_expected.to contain_class('ssh::client::config') } + it { is_expected.to contain_class('ssh::client::install') } + it { is_expected.to contain_file('/etc/ssh/ssh_config') } + end + + context 'with a different ssh_config location' do + let :params do + { + ssh_config: '/etc/ssh/another_ssh_config' + } + end + + it { is_expected.to contain_file('/etc/ssh/another_ssh_config') } + end + + context 'with storeconfigs_enabled set to false' do + let :params do + { + storeconfigs_enabled: false + } + end + + it { is_expected.not_to contain_class('ssh::knownhosts') } + end + end + end +end diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index e4734645..7882b919 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -1,48 +1,116 @@ +# frozen_string_literal: true + require 'spec_helper' describe 'ssh', type: 'class' do on_supported_os.each do |os, os_facts| - let(:facts) { os_facts } - context "on #{os}" do - context 'Server with a seperate sftp_server_init instance on Port 8022' do - let :params do - { - 'server_instances' => { - 'sftp_server_init' => { - 'ensure' => 'present', - 'options' => { - 'sshd_config' => { - 'Port' => 8022, - 'Protocol' => 2, - 'AddressFamily' => 'any', - 'HostKey' => '/etc/ssh/ssh_host_rsa_key', - 'SyslogFacility' => 'AUTH', - 'LogLevel' => 'INFO', - 'PermitRootLogin' => 'no', + let(:facts) { os_facts } + + case os_facts[:os]['family'] + when 'Debian' + client_package = 'openssh-client' + server_package = 'openssh-server' + sftp_server_path = '/usr/lib/openssh/sftp-server' + when 'Archlinux' + client_package = 'openssh' + server_package = 'openssh' + sftp_server_path = '/usr/lib/ssh/sftp-server' + when 'Amazon', 'RedHat' + client_package = 'openssh-clients' + server_package = 'openssh-server' + sftp_server_path = '/usr/libexec/openssh/sftp-server' + when 'Gentoo' + client_package = 'openssh' + server_package = 'openssh' + sftp_server_path = '/usr/lib64/misc/sftp-server' + when 'Solaris' + case os_facts[:os]['release']['major'] + when 10 + client_package = 'SUNWsshu' + server_package = 'SUNWsshdu' + else + client_package = '/network/ssh' + server_package = '/service/network/ssh' + end + sftp_server_path = 'internal-sftp' + when 'SmartOS' + sftp_server_path = 'internal-sftp' + when 'Suse' + client_package = 'openssh' + server_package = 'openssh' + case os_facts[:os]['name'] + when 'OpenSuSE' + sftp_server_path = '/usr/lib/ssh/sftp-server' + when 'SLES' + sftp_server_path = case os_facts[:os]['release']['major'] + when 10, 11 + '/usr/lib64/ssh/sftp-server' + else + '/usr/lib/ssh/sftp-server' + end + end + else + client_package = nil + server_package = nil + sftp_server_path = '/usr/libexec/sftp-server' + end + + case os_facts[:os]['family'] + when 'Solaris' + ssh_config_expected_default = "# File managed by Puppet\n\n" + ssh_config_expected_custom = "# File managed by Puppet\n\nHostFoo\n HostName bar\nSomeOtherKey someValue\n" + sshd_config_default = "# File is managed by Puppet\n\nChallengeResponseAuthentication no\nHostKey /etc/ssh/ssh_host_rsa_key\nHostKey /etc/ssh/ssh_host_dsa_key\nPrintMotd no\nSubsystem sftp #{sftp_server_path}\nX11Forwarding yes\n" + sshd_config_custom = "# File is managed by Puppet\n\nChallengeResponseAuthentication no\nHostKey /etc/ssh/ssh_host_rsa_key\nHostKey /etc/ssh/ssh_host_dsa_key\nPrintMotd no\nSomeOtherKey someValue\nSubsystem sftp #{sftp_server_path}\nUsePAM no\nX11Forwarding no\n" + else + ssh_config_expected_default = "# File managed by Puppet\n\nHost *\n HashKnownHosts yes\n SendEnv LANG LC_*\n" + ssh_config_expected_custom = "# File managed by Puppet\n\nHostFoo\n HostName bar\nSomeOtherKey someValue\nHost *\n HashKnownHosts yes\n SendEnv LANG LC_*\n" + sshd_config_default = "# File is managed by Puppet\n\nAcceptEnv LANG LC_*\nChallengeResponseAuthentication no\nPrintMotd no\nSubsystem sftp #{sftp_server_path}\nUsePAM yes\nX11Forwarding yes\n" + sshd_config_custom = "# File is managed by Puppet\n\nAcceptEnv LANG LC_*\nChallengeResponseAuthentication no\nPrintMotd no\nSomeOtherKey someValue\nSubsystem sftp #{sftp_server_path}\nUsePAM no\nX11Forwarding no\n" + end + + if os_facts[:kernel] == 'Linux' + context 'Server with a separate sftp_server_init instance on Port 8022' do + let :params do + { + 'server_instances' => { + 'sftp_server_init' => { + 'ensure' => 'present', + 'options' => { + 'sshd_config' => { + 'Port' => 8022, + 'Protocol' => 2, + 'AddressFamily' => 'any', + 'HostKey' => '/etc/ssh/ssh_host_rsa_key', + 'SyslogFacility' => 'AUTH', + 'LogLevel' => 'INFO', + 'PermitRootLogin' => 'no', + }, + 'sshd_service_options' => '', + 'match_blocks' => {}, }, - 'sshd_service_options' => '', - 'match_blocks' => {}, }, }, - }, - } - end + } + end - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_concat('/etc/ssh/sshd_config.sftp_server_init') } - it { is_expected.to contain_concat__fragment('sshd instance sftp_server_init config') } - it { is_expected.to contain_systemd__unit_file('sftp_server_init.service') } - it { is_expected.to contain_service('sftp_server_init.service') } - it { is_expected.to contain_ssh__server__instances('sftp_server_init') } - it { is_expected.to contain_class('ssh::client') } - it { is_expected.to contain_class('ssh::server') } - it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd(nil) } - it { is_expected.to contain_resources('sshkey').with_purge(true) } + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat('/etc/ssh/sshd_config.sftp_server_init') } + it { is_expected.to contain_concat__fragment('sshd instance sftp_server_init config').with_content("# File is managed by Puppet\nAddressFamily any\nPort 8022\n\nHostKey /etc/ssh/ssh_host_rsa_key\nLogLevel INFO\nPermitRootLogin no\nProtocol 2\nSyslogFacility AUTH\n") } + it { is_expected.to contain_systemd__unit_file('sftp_server_init.service') } + it { is_expected.to contain_service('sftp_server_init.service') } + it { is_expected.to contain_ssh__server__instances('sftp_server_init') } + it { is_expected.to contain_class('ssh::client') } + it { is_expected.to contain_class('ssh::server') } + it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd(nil) } + it { is_expected.to contain_resources('sshkey').with_purge(true) } + end end + context 'with all defaults' do it { is_expected.to compile.with_all_deps } end + context 'with the validate_sshd_file setting' do let :params do { @@ -50,9 +118,9 @@ } end - it { is_expected.to contain_class('ssh::client') } it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd('/usr/sbin/sshd -tf %') } end + context 'without resource purging' do let :params do { @@ -62,11 +130,56 @@ it { is_expected.not_to contain_resources('sshkey') } end + context 'with no other parameters' do it { is_expected.to contain_class('ssh::client') } it { is_expected.to contain_class('ssh::server') } + it { is_expected.to contain_file('/etc/ssh/ssh_config').with_content(ssh_config_expected_default) } it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd(nil) } it { is_expected.to contain_resources('sshkey').with_purge(true) } + it { is_expected.to contain_concat__fragment('global config').with_content(sshd_config_default) } + + it { is_expected.to contain_package(client_package).with_ensure('installed') } if client_package + it { is_expected.to contain_package(server_package).with_ensure('installed') } if server_package + end + + context 'with custom server options' do + let :params do + { + server_options: { + X11Forwarding: 'no', + UsePAM: 'no', + SomeOtherKey: 'someValue' + } + } + end + + it { is_expected.to contain_concat__fragment('global config').with_content(sshd_config_custom) } + end + + context 'with custom client options' do + let :params do + { + client_options: { + HostFoo: { + HostName: 'bar' + }, + SomeOtherKey: 'someValue' + } + } + end + + it { is_expected.to contain_file('/etc/ssh/ssh_config').with_content(ssh_config_expected_custom) } + end + + context 'with storeconfigs_enabled set to false' do + let :params do + { + storeconfigs_enabled: false + } + end + + it { is_expected.not_to contain_class('ssh::knownhosts') } end end end diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb new file mode 100644 index 00000000..2305a986 --- /dev/null +++ b/spec/classes/server_spec.rb @@ -0,0 +1,97 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'ssh::server', type: 'class' do + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } + + svc_name = case os_facts[:os]['family'] + when 'Debian' + 'ssh' + when 'Archlinux' + 'sshd.service' + when 'Darwin' + 'com.openssh.sshd' + when 'Solaris', 'SmartOS' + 'svc:/network/ssh:default' + else + 'sshd' + end + + sshd_config_custom = case os_facts[:os]['family'] + when 'Solaris' + "# File is managed by Puppet\n\nChallengeResponseAuthentication no\nHostKey /etc/ssh/ssh_host_rsa_key\nHostKey /etc/ssh/ssh_host_dsa_key\nPrintMotd no\nSomeOtherKey someValue\nSubsystem sftp /some/path\nUsePAM no\nX11Forwarding no\n" + else + "# File is managed by Puppet\n\nAcceptEnv LANG LC_*\nChallengeResponseAuthentication no\nPrintMotd no\nSomeOtherKey someValue\nSubsystem sftp /some/path\nUsePAM no\nX11Forwarding no\n" + end + + context 'with no other parameters' do + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('ssh::knownhosts') } + it { is_expected.to contain_class('ssh::server::config') } + it { is_expected.to contain_class('ssh::server::install') } + it { is_expected.to contain_class('ssh::server::service') } + it { is_expected.to contain_service(svc_name) } + it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd(nil) } + it { is_expected.to contain_concat__fragment('global config') } + end + + context 'with custom options' do + let :params do + { + options: { + Subsystem: 'sftp /some/path', + X11Forwarding: 'no', + UsePAM: 'no', + SomeOtherKey: 'someValue' + } + } + end + + it { is_expected.to contain_concat__fragment('global config').with_content(sshd_config_custom) } + end + + context 'with a custom service_name' do + let :params do + { + service_name: 'custom_sshd_name' + } + end + + it { is_expected.to contain_service('custom_sshd_name') } + end + + context 'with the validate_sshd_file setting' do + let :params do + { + validate_sshd_file: true + } + end + + it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd('/usr/sbin/sshd -tf %') } + end + + context 'with a different sshd_config location' do + let :params do + { + sshd_config: '/etc/ssh/another_sshd_config' + } + end + + it { is_expected.to contain_concat('/etc/ssh/another_sshd_config') } + end + + context 'with storeconfigs_enabled set to false' do + let :params do + { + storeconfigs_enabled: false + } + end + + it { is_expected.not_to contain_class('ssh::knownhosts') } + end + end + end +end diff --git a/spec/defines/client/config/user_spec.rb b/spec/defines/client/config/user_spec.rb index 97ec1d14..b40b27d7 100644 --- a/spec/defines/client/config/user_spec.rb +++ b/spec/defines/client/config/user_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper' describe 'ssh::client::config::user' do diff --git a/spec/defines/server/config/setting_spec.rb b/spec/defines/server/config/setting_spec.rb index 1e1ccc18..be520424 100644 --- a/spec/defines/server/config/setting_spec.rb +++ b/spec/defines/server/config/setting_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper' describe 'ssh::server::config::setting' do @@ -10,6 +12,7 @@ context 'with all defaults' do it { is_expected.not_to compile } end + describe 'with key => "AllowGroups", value => "group1 group2"' do let :params do { diff --git a/spec/defines/server/host_key_spec.rb b/spec/defines/server/host_key_spec.rb index 4613c480..6a717a9e 100644 --- a/spec/defines/server/host_key_spec.rb +++ b/spec/defines/server/host_key_spec.rb @@ -1,16 +1,18 @@ +# frozen_string_literal: true + require 'spec_helper' describe 'ssh::server::host_key', type: :define do on_supported_os.each do |os, os_facts| - let(:facts) { os_facts } - context "on #{os}" do + let(:facts) { os_facts } let(:title) { 'something' } let(:pre_condition) { 'include ssh' } context 'with all defaults' do it { is_expected.to compile.and_raise_error(%r{You must provide either public_key_source or public_key_content parameter}) } end + describe 'with public_key_content, private_key_content and certificate_content' do let :params do { @@ -21,6 +23,7 @@ end it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_file('something_pub'). with_content('abc'). diff --git a/spec/defines/server/instances_spec.rb b/spec/defines/server/instances_spec.rb index 1882f8b3..bf4bbc89 100644 --- a/spec/defines/server/instances_spec.rb +++ b/spec/defines/server/instances_spec.rb @@ -77,9 +77,7 @@ context "on #{os}" do let(:facts) { os_facts } - if os_facts[:kernel] != 'Linux' - it { is_expected.to compile.and_raise_error(%r{not supported, because Systemd is not available}) } - else + if os_facts[:kernel] == 'Linux' it { is_expected.to compile.with_all_deps } it { is_expected.to contain_concat('/etc/ssh/sshd_config.sftp_server') } it { is_expected.to contain_concat__fragment('sshd instance sftp_server config') } @@ -87,10 +85,13 @@ it { is_expected.to contain_ssh__server__match_block('*,!ssh_exempt_ldap_authkey,!sshlokey') } it { is_expected.to contain_systemd__unit_file('sftp_server.service') } it { is_expected.to contain_service('sftp_server.service') } + else + it { is_expected.to compile.and_raise_error(%r{not supported, because Systemd is not available}) } end end end end + context 'minimal setup' do let(:title) { 'sftp_server' } let :pre_condition do @@ -119,13 +120,13 @@ context "on #{os}" do let(:facts) { os_facts } - if os_facts[:kernel] != 'Linux' - it { is_expected.to compile.and_raise_error(%r{not supported, because Systemd is not available}) } - else + if os_facts[:kernel] == 'Linux' it { is_expected.to compile.with_all_deps } it { is_expected.to contain_concat__fragment('sshd instance sftp_server config') } it { is_expected.to contain_systemd__unit_file('sftp_server.service') } it { is_expected.to contain_service('sftp_server.service') } + else + it { is_expected.to compile.and_raise_error(%r{not supported, because Systemd is not available}) } end end end diff --git a/spec/defines/server/match_block_spec.rb b/spec/defines/server/match_block_spec.rb index 75e97f4f..14b306cc 100644 --- a/spec/defines/server/match_block_spec.rb +++ b/spec/defines/server/match_block_spec.rb @@ -27,6 +27,7 @@ it { is_expected.to compile.with_all_deps } it { is_expected.to contain_concat__fragment('match_block *,!ssh_exempt_ldap_authkey,!sshlokey') } end + context 'with ssh_deny_pw_auth,sshdnypw' do let(:title) { 'ssh_deny_pw_auth,sshdnypw' } let(:params) do diff --git a/spec/functions/ssh/ipaddresses_spec.rb b/spec/functions/ssh/ipaddresses_spec.rb index e0361188..fe5c2dd4 100644 --- a/spec/functions/ssh/ipaddresses_spec.rb +++ b/spec/functions/ssh/ipaddresses_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper' describe 'ssh::ipaddresses', type: :puppet_function do @@ -21,6 +23,7 @@ is_expected.to run.with_params(['docker0']).and_return(['10.13.42.61', '10.0.0.110', '10.0.0.104', '10.0.0.109']) end end + describe 'with excluded interfaces' do it 'doesn\'t return the IPs of those interfaces' do is_expected.to run.with_params(%w[docker0 eno1]).and_return([]) @@ -50,6 +53,7 @@ is_expected.to run.with_params(['docker0']).and_return(['10.13.42.61']) end end + describe 'with excluded interfaces' do it 'doesn\'t return the IPs of those interfaces' do is_expected.to run.with_params(%w[docker0 eno1]).and_return([]) diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index fb5f0cbe..4d617f39 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,17 +1,17 @@ +# frozen_string_literal: true + # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ # puppetlabs_spec_helper will set up coverage if the env variable is set. # We want to do this if lib exists and it hasn't been explicitly set. -ENV['COVERAGE'] ||= 'yes' if Dir.exist?(File.expand_path('../../lib', __FILE__)) +ENV['COVERAGE'] ||= 'yes' if Dir.exist?(File.expand_path('../lib', __dir__)) require 'voxpupuli/test/spec_helper' if File.exist?(File.join(__dir__, 'default_module_facts.yml')) facts = YAML.safe_load(File.read(File.join(__dir__, 'default_module_facts.yml'))) - if facts - facts.each do |name, value| - add_custom_fact name.to_sym, value - end + facts&.each do |name, value| + add_custom_fact name.to_sym, value end end diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb index 52e2f890..42ecdb41 100644 --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'voxpupuli/acceptance/spec_helper_acceptance' configure_beaker diff --git a/spec/unit/facter/util/fact_ssh_client_version_spec.rb b/spec/unit/facter/util/fact_ssh_client_version_spec.rb index 877419fa..7daa3ecc 100644 --- a/spec/unit/facter/util/fact_ssh_client_version_spec.rb +++ b/spec/unit/facter/util/fact_ssh_client_version_spec.rb @@ -1,7 +1,10 @@ +# frozen_string_literal: true + require 'spec_helper' describe 'ssh_client_version_full' do before { Facter.clear } + after { Facter.clear } context 'when on a Linux host' do @@ -10,16 +13,19 @@ allow(Facter::Util::Resolution).to receive(:which).with('ssh').and_return('/usr/bin/ssh') allow(Facter::Util::Resolution).to receive(:exec).with('ssh -V 2>&1').and_return('OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014') end + it 'execs ssh -V and returns full version number' do expect(Facter.fact(:ssh_client_version_full).value).to eq('6.6.1p1') end end + context 'when on a SunOS host' do before do allow(Facter.fact(:kernel)).to receive(:value).and_return('SunOS') allow(Facter::Util::Resolution).to receive(:which).with('ssh').and_return('/usr/bin/ssh') allow(Facter::Util::Resolution).to receive(:exec).with('ssh -V 2>&1').and_return('Sun_SSH_2.4, SSH protocols 1.5/2.0, OpenSSL 0x100020bf') end + it 'execs ssh -V and returns full version number' do expect(Facter.fact(:ssh_client_version_full).value).to eq('2.4') end diff --git a/spec/unit/facter/util/fact_ssh_server_version_major_spec.rb b/spec/unit/facter/util/fact_ssh_server_version_major_spec.rb index d2f18f57..59b26f6f 100644 --- a/spec/unit/facter/util/fact_ssh_server_version_major_spec.rb +++ b/spec/unit/facter/util/fact_ssh_server_version_major_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper' describe Facter::Util::Fact do @@ -12,6 +14,7 @@ before do allow(Facter.fact(:ssh_server_version_full)).to receive(:value).and_return('6.6.1p1') end + it do expect(Facter.fact(:ssh_server_version_major).value).to eq('6') end @@ -23,6 +26,7 @@ before do allow(Facter.fact(:ssh_server_version_full)).to receive(:value).and_return('7.2p2') end + it do expect(Facter.fact(:ssh_server_version_major).value).to eq('7') end @@ -33,6 +37,7 @@ before do allow(Facter.fact(:ssh_server_version_full)).to receive(:value).and_return(nil) end + it do expect(Facter.fact(:ssh_server_version_major).value).to be_nil end diff --git a/spec/unit/facter/util/fact_ssh_server_version_spec.rb b/spec/unit/facter/util/fact_ssh_server_version_spec.rb index 96d9babd..116dcfb4 100644 --- a/spec/unit/facter/util/fact_ssh_server_version_spec.rb +++ b/spec/unit/facter/util/fact_ssh_server_version_spec.rb @@ -1,7 +1,10 @@ +# frozen_string_literal: true + require 'spec_helper' describe 'ssh_server_version_full' do before { Facter.clear } + after { Facter.clear } context 'when on a Linux host' do @@ -10,16 +13,19 @@ allow(Facter::Util::Resolution).to receive(:which).with('sshd').and_return('/usr/bin/sshd') allow(Facter::Util::Resolution).to receive(:exec).with('sshd -V 2>&1').and_return('OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014') end + it 'execs sshd -V and returns full version number' do expect(Facter.fact(:ssh_server_version_full).value).to eq('6.6.1p1') end end + context 'when on a SunOS host' do before do allow(Facter.fact(:kernel)).to receive(:value).and_return('SunOS') allow(Facter::Util::Resolution).to receive(:which).with('sshd').and_return('/usr/bin/sshd') allow(Facter::Util::Resolution).to receive(:exec).with('sshd -V 2>&1').and_return('Sun_SSH_2.4, SSH protocols 1.5/2.0, OpenSSL 0x100020bf') end + it 'execs sshd -V and returns full version number' do expect(Facter.fact(:ssh_server_version_full).value).to eq('2.4') end diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index 374441fa..07af0880 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -11,11 +11,10 @@ end end -%> -<%- options = scope.lookupvar('ssh::server::merged_options') -%> -<%- if addressfamily = options.delete('AddressFamily') -%> +<%- if addressfamily = @options.delete('AddressFamily') -%> AddressFamily <%= addressfamily %> <%- end -%> -<%- if port = options.delete('Port') -%> +<%- if port = @options.delete('Port') -%> <%- if port.is_a?(Array) -%> <%- port.reject{ |x| x.to_s.strip.empty? }.each do |p| -%> Port <%= p %> @@ -24,7 +23,7 @@ Port <%= p %> Port <%= port %> <%- end -%> <%- end -%> -<%- if listen = options.delete('ListenAddress') -%> +<%- if listen = @options.delete('ListenAddress') -%> <%- if listen.is_a?(Array) -%> <%- listen.reject{ |x| x.strip.empty? }.each do |l| -%> ListenAddress <%= l %> @@ -34,8 +33,8 @@ ListenAddress <%= listen %> <%- end -%> <%- end -%> -<%- options.keys.sort_by{ |sk| (sk.to_s.downcase.include? "match") ? 'zzz' + sk.to_s : sk.to_s }.each do |k| -%> -<%- v = options[k] -%> +<%- @options.keys.sort_by{ |sk| (sk.to_s.downcase.include? "match") ? 'zzz' + sk.to_s : sk.to_s }.each do |k| -%> +<%- v = @options[k] -%> <%- if v.is_a?(Hash) -%> <%= k %> <%- v.keys.sort.each do |key| -%> From 5e98dcf30ace40a4247bd3f3027bdf9a7077bcde Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 25 Apr 2022 16:59:43 -0700 Subject: [PATCH 163/246] add ssh::client::match_block class --- manifests/client/config.pp | 16 +++++--- manifests/client/match_block.pp | 32 ++++++++++++++++ spec/acceptance/client_spec.rb | 49 ++++++++++++++++++++++++ spec/classes/init_spec.rb | 2 +- spec/defines/client/match_block_spec.rb | 39 +++++++++++++++++++ spec/type_aliases/sshclientmatch_spec.rb | 19 +++++++++ types/clientmatch.pp | 11 ++++++ 7 files changed, 161 insertions(+), 7 deletions(-) create mode 100644 manifests/client/match_block.pp create mode 100644 spec/acceptance/client_spec.rb create mode 100644 spec/defines/client/match_block_spec.rb create mode 100644 spec/type_aliases/sshclientmatch_spec.rb create mode 100644 types/clientmatch.pp diff --git a/manifests/client/config.pp b/manifests/client/config.pp index 947cd4f1..04997f6f 100644 --- a/manifests/client/config.pp +++ b/manifests/client/config.pp @@ -12,13 +12,17 @@ if $use_augeas { create_resources('ssh_config', $options) } else { - file { $ssh::client::ssh_config: - ensure => file, - owner => '0', - group => '0', - mode => '0644', + concat { $ssh::client::ssh_config: + ensure => present, + owner => 0, + group => 0, + mode => '0644', + } + + concat::fragment { 'ssh_config global config': + target => $ssh::client::ssh_config, content => template("${module_name}/ssh_config.erb"), - require => Class['ssh::client::install'], + order => '00', } } } diff --git a/manifests/client/match_block.pp b/manifests/client/match_block.pp new file mode 100644 index 00000000..3305ec21 --- /dev/null +++ b/manifests/client/match_block.pp @@ -0,0 +1,32 @@ +# @summary +# Add match_block to ssh client config (concat needed) +# +# @param options +# Options which should be set +# +# @param type +# Type of match_block, e.g. user, group, host, ... +# +# @param order +# Orders your settings within the config file +# +# @param target +# Sets the target file of the concat fragment +# +define ssh::client::match_block ( + Hash $options = {}, + Ssh::ClientMatch $type = 'user', + Integer $order = 50, + Stdlib::Absolutepath $target = $ssh::client::ssh_config, +) { + if $ssh::client::use_augeas { + fail('ssh::client::match_block() define not supported with use_augeas = true') + } else { + concat::fragment { "match_block ${name}": + target => $target, + # same template may be used for ssh_config & sshd_config + content => template("${module_name}/sshd_match_block.erb"), + order => 200+$order, + } + } +} diff --git a/spec/acceptance/client_spec.rb b/spec/acceptance/client_spec.rb new file mode 100644 index 00000000..c896eefc --- /dev/null +++ b/spec/acceptance/client_spec.rb @@ -0,0 +1,49 @@ +# frozen_string_literal: true + +require 'spec_helper_acceptance' + +describe 'ssh' do + context 'with client_match_block' do + it_behaves_like 'an idempotent resource' do + let(:manifest) do + <<~PP + class { 'ssh': + client_options => { + 'GlobalKnownHostsFile' => "/var/lib/sss/pubconf/known_hosts", + 'PubkeyAuthentication' => "yes", + 'GSSAPIAuthentication' => "yes", + 'GSSAPIDelegateCredentials' => "yes", + }, + client_match_block => { + '!foo' => { + 'type' => 'user', + 'options' => { + 'ProxyCommand' => '/usr/bin/sss_ssh_knownhostsproxy -p %p %h', + }, + }, + }, + } + PP + end + + describe file('/etc/ssh/ssh_config') do + it { is_expected.to be_file } + it { is_expected.to be_owned_by 'root' } + it { is_expected.to be_grouped_into 'root' } + it { is_expected.to be_mode '644' } # serverspec does not like a leading 0 + its(:content) do + is_expected.to match <<~SSH + # File managed by Puppet + + GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts + PubkeyAuthentication yes + GSSAPIAuthentication yes + GSSAPIDelegateCredentials yes + Match user !foo + ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h + SSH + end + end + end + end +end diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 7882b919..6fe458e5 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -138,7 +138,7 @@ it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd(nil) } it { is_expected.to contain_resources('sshkey').with_purge(true) } it { is_expected.to contain_concat__fragment('global config').with_content(sshd_config_default) } - + it { is_expected.to contain_concat__fragment('ssh_config global config').with_content(ssh_config_expected_default) } it { is_expected.to contain_package(client_package).with_ensure('installed') } if client_package it { is_expected.to contain_package(server_package).with_ensure('installed') } if server_package end diff --git a/spec/defines/client/match_block_spec.rb b/spec/defines/client/match_block_spec.rb new file mode 100644 index 00000000..c9abfc95 --- /dev/null +++ b/spec/defines/client/match_block_spec.rb @@ -0,0 +1,39 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'ssh::client::match_block' do + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } + let :pre_condition do + 'include ssh' + end + + context 'with !foo' do + let(:title) { '!foo' } + let(:params) do + { + 'type' => 'user', + 'options' => { + 'ProxyCommand' => '/usr/bin/sss_ssh_knownhostsproxy -p %p %h', + }, + 'target' => '/etc/ssh/ssh_config_foo', + } + end + + it { is_expected.to compile.with_all_deps } + it do + is_expected.to contain_concat__fragment('match_block !foo').with( + target: '/etc/ssh/ssh_config_foo', + content: <<~SSH, + Match user !foo + ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h + SSH + order: 250, + ) + end + end + end + end +end diff --git a/spec/type_aliases/sshclientmatch_spec.rb b/spec/type_aliases/sshclientmatch_spec.rb new file mode 100644 index 00000000..62d71b33 --- /dev/null +++ b/spec/type_aliases/sshclientmatch_spec.rb @@ -0,0 +1,19 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'Ssh::ClientMatch' do + known_criteria = %w[ + all + canonical + exec + final + host + localuser + originalhost + user + ] + it { is_expected.to allow_values(*known_criteria) } + it { is_expected.not_to allow_value(nil) } + it { is_expected.not_to allow_value('foo') } +end diff --git a/types/clientmatch.pp b/types/clientmatch.pp new file mode 100644 index 00000000..32e02a9a --- /dev/null +++ b/types/clientmatch.pp @@ -0,0 +1,11 @@ +# OpenSSH client `Match` criteria. See `ssh_config(5)` +type Ssh::ClientMatch = Enum[ + 'all', + 'canonical', + 'exec', + 'final', + 'host', + 'localuser', + 'originalhost', + 'user', +] From 3ccb1fb46a2b4215e2086898b9a845519e7e8638 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Mon, 25 Apr 2022 17:05:51 -0700 Subject: [PATCH 164/246] add ssh::client_match_block param --- manifests/client.pp | 6 +++ manifests/init.pp | 5 +++ spec/acceptance/client_spec.rb | 36 ++++++++++-------- spec/classes/client_spec.rb | 4 +- spec/classes/init_spec.rb | 50 ++++++++++++++++++++++++- spec/defines/client/match_block_spec.rb | 7 ++-- 6 files changed, 85 insertions(+), 23 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index 5c942fdf..d988885c 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -32,6 +32,9 @@ # @param default_options # Default options to set, will be merged with options parameter # +# @param match_block +# Add ssh match_block (with concat) +# class ssh::client ( Stdlib::Absolutepath $ssh_config, Hash $default_options, @@ -41,6 +44,7 @@ Hash $options = {}, Boolean $use_augeas = false, Array $options_absent = [], + Hash $match_block = {}, ) { if $use_augeas { $merged_options = sshclient_options_to_augeas_ssh_config($options, $options_absent, { 'target' => $ssh_config }) @@ -63,4 +67,6 @@ Class['ssh::client::install'] -> Class['ssh::client::config'] } + + create_resources('ssh::client::match_block', $match_block) } diff --git a/manifests/init.pp b/manifests/init.pp index 3f062b26..7533bc26 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -120,6 +120,9 @@ # @param client_options # Add dynamic options for ssh client config # +# @param client_match_block +# Add match block for ssh client config +# # @param users_client_options # Add users options for ssh client config # @@ -154,6 +157,7 @@ Optional[Hash] $server_options = undef, Hash $server_match_block = {}, Optional[Hash] $client_options = undef, + Hash $client_match_block = {}, Hash $users_client_options = {}, String $version = 'present', Boolean $storeconfigs_enabled = true, @@ -198,4 +202,5 @@ create_resources('ssh::client::config::user', $users_client_options) create_resources('ssh::server::match_block', $server_match_block) + create_resources('ssh::client::match_block', $client_match_block) } diff --git a/spec/acceptance/client_spec.rb b/spec/acceptance/client_spec.rb index c896eefc..722ed692 100644 --- a/spec/acceptance/client_spec.rb +++ b/spec/acceptance/client_spec.rb @@ -7,22 +7,22 @@ it_behaves_like 'an idempotent resource' do let(:manifest) do <<~PP - class { 'ssh': - client_options => { - 'GlobalKnownHostsFile' => "/var/lib/sss/pubconf/known_hosts", - 'PubkeyAuthentication' => "yes", - 'GSSAPIAuthentication' => "yes", - 'GSSAPIDelegateCredentials' => "yes", - }, - client_match_block => { - '!foo' => { - 'type' => 'user', - 'options' => { - 'ProxyCommand' => '/usr/bin/sss_ssh_knownhostsproxy -p %p %h', + class { 'ssh': + client_options => { + 'GlobalKnownHostsFile' => "/var/lib/sss/pubconf/known_hosts", + 'PubkeyAuthentication' => "yes", + 'GSSAPIAuthentication' => "yes", + 'GSSAPIDelegateCredentials' => "yes", + }, + client_match_block => { + '!foo' => { + 'type' => 'user', + 'options' => { + 'ProxyCommand' => '/usr/bin/sss_ssh_knownhostsproxy -p %p %h', + }, }, }, - }, - } + } PP end @@ -30,7 +30,8 @@ class { 'ssh': it { is_expected.to be_file } it { is_expected.to be_owned_by 'root' } it { is_expected.to be_grouped_into 'root' } - it { is_expected.to be_mode '644' } # serverspec does not like a leading 0 + it { is_expected.to be_mode '644' } # serverspec does not like a leading 0 + its(:content) do is_expected.to match <<~SSH # File managed by Puppet @@ -39,9 +40,12 @@ class { 'ssh': PubkeyAuthentication yes GSSAPIAuthentication yes GSSAPIDelegateCredentials yes + Host * + HashKnownHosts yes + SendEnv LANG LC_* Match user !foo ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h - SSH + SSH end end end diff --git a/spec/classes/client_spec.rb b/spec/classes/client_spec.rb index c30ec1bb..b950a5d3 100644 --- a/spec/classes/client_spec.rb +++ b/spec/classes/client_spec.rb @@ -12,7 +12,7 @@ it { is_expected.to contain_class('ssh::knownhosts') } it { is_expected.to contain_class('ssh::client::config') } it { is_expected.to contain_class('ssh::client::install') } - it { is_expected.to contain_file('/etc/ssh/ssh_config') } + it { is_expected.to contain_concat('/etc/ssh/ssh_config') } end context 'with a different ssh_config location' do @@ -22,7 +22,7 @@ } end - it { is_expected.to contain_file('/etc/ssh/another_ssh_config') } + it { is_expected.to contain_concat('/etc/ssh/another_ssh_config') } end context 'with storeconfigs_enabled set to false' do diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 6fe458e5..a696bda5 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -134,11 +134,12 @@ context 'with no other parameters' do it { is_expected.to contain_class('ssh::client') } it { is_expected.to contain_class('ssh::server') } - it { is_expected.to contain_file('/etc/ssh/ssh_config').with_content(ssh_config_expected_default) } + it { is_expected.to contain_concat('/etc/ssh/ssh_config') } it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd(nil) } it { is_expected.to contain_resources('sshkey').with_purge(true) } it { is_expected.to contain_concat__fragment('global config').with_content(sshd_config_default) } it { is_expected.to contain_concat__fragment('ssh_config global config').with_content(ssh_config_expected_default) } + it { is_expected.to contain_package(client_package).with_ensure('installed') } if client_package it { is_expected.to contain_package(server_package).with_ensure('installed') } if server_package end @@ -169,7 +170,7 @@ } end - it { is_expected.to contain_file('/etc/ssh/ssh_config').with_content(ssh_config_expected_custom) } + it { is_expected.to contain_concat__fragment('ssh_config global config').with_content(ssh_config_expected_custom) } end context 'with storeconfigs_enabled set to false' do @@ -181,6 +182,51 @@ it { is_expected.not_to contain_class('ssh::knownhosts') } end + + context 'with client_match_block' do + let :params do + { + client_match_block: { + '!foo' => { + 'type' => 'user', + 'options' => { + 'ProxyCommand' => '/usr/bin/sss_ssh_knownhostsproxy -p %p %h', + }, + }, + 'bar' => { + 'type' => 'host', + 'options' => { + 'ForwardX11' => 'no', + 'PasswordAuthentication' => 'yes', + }, + }, + }, + } + end + + it do + is_expected.not_to contain_ssh__client__matchblock('!foo').with( + type: 'user', + options: { + 'ProxyCommand' => '/usr/bin/sss_ssh_knownhostsproxy -p %p %h', + }, + target: '/etc/ssh/ssh_config_foo' + ) + end + + it do + is_expected.not_to contain_ssh__client__matchblock('bar').with( + type: 'host', + options: { + 'FowardX11' => 'no', + 'PasswordAuthentication' => 'yes', + }, + target: '/etc/ssh/ssh_config_foo' + ) + end + + it { is_expected.not_to have_ssh__client__matchblock_resource_count(2) } + end end end end diff --git a/spec/defines/client/match_block_spec.rb b/spec/defines/client/match_block_spec.rb index c9abfc95..6db9f6e5 100644 --- a/spec/defines/client/match_block_spec.rb +++ b/spec/defines/client/match_block_spec.rb @@ -23,14 +23,15 @@ end it { is_expected.to compile.with_all_deps } + it do is_expected.to contain_concat__fragment('match_block !foo').with( target: '/etc/ssh/ssh_config_foo', content: <<~SSH, - Match user !foo - ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h + Match user !foo + ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h SSH - order: 250, + order: 250 ) end end From 553236572b7e3104b8311c79a645ef84cda25e10 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 31 May 2022 11:00:00 +0200 Subject: [PATCH 165/246] remove unused sshd_config file --- files/sshd_config | 77 ----------------------------------------------- 1 file changed, 77 deletions(-) delete mode 100644 files/sshd_config diff --git a/files/sshd_config b/files/sshd_config deleted file mode 100644 index 05248741..00000000 --- a/files/sshd_config +++ /dev/null @@ -1,77 +0,0 @@ -# Package generated configuration file -# See the sshd(8) manpage for details - -# What ports, IPs and protocols we listen for -Port 22 -# Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 768 - -# Logging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: -LoginGraceTime 120 -PermitRootLogin yes -StrictModes yes - -RSAAuthentication yes -PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys - -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no -# similar for protocol version 2 -HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -ChallengeResponseAuthentication no - -# Change to no to disable tunnelled clear text passwords -#PasswordAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosGetAFSToken no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -X11Forwarding yes -X11DisplayOffset 10 -PrintMotd no -PrintLastLog yes -TCPKeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net - -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - -Subsystem sftp /usr/lib/openssh/sftp-server - -UsePAM yes From 5cc99ac1e809b15ddfdb4b7ced7a1dd961fdb6ff Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 31 May 2022 11:29:41 +0200 Subject: [PATCH 166/246] replace create_resources with splat operator --- manifests/client.pp | 6 +++++- manifests/client/config.pp | 6 +++++- manifests/init.pp | 20 +++++++++++++++++--- manifests/server.pp | 6 +++++- manifests/server/config.pp | 6 +++++- 5 files changed, 37 insertions(+), 7 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index d988885c..b0be0a43 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -68,5 +68,9 @@ -> Class['ssh::client::config'] } - create_resources('ssh::client::match_block', $match_block) + $match_block.each |String $k, Hash $v| { + ssh::client::match_block { $k: + * => $v, + } + } } diff --git a/manifests/client/config.pp b/manifests/client/config.pp index 04997f6f..40c3ca2e 100644 --- a/manifests/client/config.pp +++ b/manifests/client/config.pp @@ -10,7 +10,11 @@ $use_augeas = $ssh::client::use_augeas if $use_augeas { - create_resources('ssh_config', $options) + $options.each |String $k, Hash $v| { + ssh_config { $k: + * => $v, + } + } } else { concat { $ssh::client::ssh_config: ensure => present, diff --git a/manifests/init.pp b/manifests/init.pp index 7533bc26..ad72a3cc 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -200,7 +200,21 @@ } } - create_resources('ssh::client::config::user', $users_client_options) - create_resources('ssh::server::match_block', $server_match_block) - create_resources('ssh::client::match_block', $client_match_block) + $users_client_options.each |String $k, Hash $v| { + ssh::client::config::user { $k: + * => $v, + } + } + + $server_match_block.each |String $k, Hash $v| { + ssh::server::match_block { $k: + * => $v, + } + } + + $client_match_block.each |String $k, Hash $v| { + ssh::client::match_block { $k: + * => $v, + } + } } diff --git a/manifests/server.pp b/manifests/server.pp index 04946faa..a21bbb78 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -101,5 +101,9 @@ ~> Class['ssh::server::service'] } - create_resources('ssh::server::match_block', $match_block) + $match_block.each |String $k, Hash $v| { + ssh::server::match_block { $k: + * => $v, + } + } } diff --git a/manifests/server/config.pp b/manifests/server/config.pp index cc632eff..da12a7ee 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -18,7 +18,11 @@ } if $ssh::server::use_augeas { - create_resources('sshd_config', $options) + $options.each |String $k, Hash $v| { + sshd_config { $k: + * => $v, + } + } } else { concat { $ssh::server::sshd_config: ensure => present, From 7f1a892f7190480dcbdb02bbf89afd643eb4a718 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Wed, 29 Jun 2022 09:32:09 -0700 Subject: [PATCH 167/246] fix support for negated ssh client match block criteria MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In the client match block support added via #332, I had not correctly interpreted `ssh_config(5). A match block is negated by prepending a ! to the match type, not the parameters to the match type. Per the man page: Criteria may be negated by prepending an exclamation mark (‘!’). --- spec/acceptance/client_spec.rb | 16 +++++++++++++--- spec/classes/init_spec.rb | 8 ++++---- spec/type_aliases/sshclientmatch_spec.rb | 8 ++++++++ types/clientmatch.pp | 8 ++++++++ 4 files changed, 33 insertions(+), 7 deletions(-) diff --git a/spec/acceptance/client_spec.rb b/spec/acceptance/client_spec.rb index 722ed692..474a5b56 100644 --- a/spec/acceptance/client_spec.rb +++ b/spec/acceptance/client_spec.rb @@ -15,12 +15,19 @@ class { 'ssh': 'GSSAPIDelegateCredentials' => "yes", }, client_match_block => { - '!foo' => { - 'type' => 'user', + 'foo' => { + 'type' => '!localuser', 'options' => { 'ProxyCommand' => '/usr/bin/sss_ssh_knownhostsproxy -p %p %h', }, }, + 'bar' => { + 'type' => 'host', + 'options' => { + 'ForwardX11' => 'no', + 'PasswordAuthentication' => 'yes', + }, + }, }, } PP @@ -43,7 +50,10 @@ class { 'ssh': Host * HashKnownHosts yes SendEnv LANG LC_* - Match user !foo + Match host bar + ForwardX11 no + PasswordAuthentication yes + Match !localuser foo ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h SSH end diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index a696bda5..f4ffdb2c 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -187,8 +187,8 @@ let :params do { client_match_block: { - '!foo' => { - 'type' => 'user', + 'foo' => { + 'type' => '!localuser', 'options' => { 'ProxyCommand' => '/usr/bin/sss_ssh_knownhostsproxy -p %p %h', }, @@ -205,8 +205,8 @@ end it do - is_expected.not_to contain_ssh__client__matchblock('!foo').with( - type: 'user', + is_expected.not_to contain_ssh__client__matchblock('foo').with( + type: '!localuser', options: { 'ProxyCommand' => '/usr/bin/sss_ssh_knownhostsproxy -p %p %h', }, diff --git a/spec/type_aliases/sshclientmatch_spec.rb b/spec/type_aliases/sshclientmatch_spec.rb index 62d71b33..4072e208 100644 --- a/spec/type_aliases/sshclientmatch_spec.rb +++ b/spec/type_aliases/sshclientmatch_spec.rb @@ -4,13 +4,21 @@ describe 'Ssh::ClientMatch' do known_criteria = %w[ + !all all + !canonical canonical + !exec exec + !final final + !host host + !localuser localuser + !originalhost originalhost + !user user ] it { is_expected.to allow_values(*known_criteria) } diff --git a/types/clientmatch.pp b/types/clientmatch.pp index 32e02a9a..5acbae87 100644 --- a/types/clientmatch.pp +++ b/types/clientmatch.pp @@ -1,11 +1,19 @@ # OpenSSH client `Match` criteria. See `ssh_config(5)` type Ssh::ClientMatch = Enum[ + '!all', 'all', + '!canonical', 'canonical', + '!exec', 'exec', + '!final', 'final', + '!host', 'host', + '!localuser', 'localuser', + '!originalhost', 'originalhost', + '!user', 'user', ] From 9333e9d3a92f1256946fc69dd287c8d853894cb8 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Mon, 10 Oct 2022 15:11:50 +0200 Subject: [PATCH 168/246] ssh::server::instances: Implement support for service_ensure/service_enable previously, the defined resource had the service_ensure and service_enable parameters, but didn't use them. This change: * makes service_ensure depended on ensure * makes service_enable depended on service_ensure * passes service_ensure/service_enable to systemd::unit_file * refactores the unit tests to make them faster --- manifests/server/instances.pp | 14 +- spec/defines/server/instances_spec.rb | 249 ++++++++++++++------------ 2 files changed, 143 insertions(+), 120 deletions(-) diff --git a/manifests/server/instances.pp b/manifests/server/instances.pp index 72653326..90433dc3 100644 --- a/manifests/server/instances.pp +++ b/manifests/server/instances.pp @@ -1,4 +1,4 @@ -# @summary +# @summary # Configure separate ssh server instances # # @param ensure @@ -8,10 +8,10 @@ # Set options for the instance # # @param service_ensure -# Whether this instance service should be running or stopped +# Whether this instance service should be running or stopped, defaults to true when ensure is set to present, otherwise false # # @param service_enable -# Whether this instance service should be started at boot +# Whether this instance service should be started at boot. Will be added automatically if ensure is running/removed if ensure is stopped # # @param validate_config_file # Validate config file before applying @@ -28,8 +28,8 @@ define ssh::server::instances ( Enum[present, absent] $ensure = present, Hash $options = {}, - Stdlib::Ensure::Service $service_ensure = 'running', - Boolean $service_enable = true, + Stdlib::Ensure::Service $service_ensure = $ensure ? { 'present' => 'running', 'absent' => 'stopped' }, + Boolean $service_enable = ($service_ensure == 'running'), Boolean $validate_config_file = false, Stdlib::Absolutepath $sshd_instance_config_file = "${ssh::server::sshd_dir}/sshd_config.${title}", Stdlib::Absolutepath $sshd_binary = $ssh::server::sshd_binary, @@ -75,8 +75,8 @@ systemd::unit_file { "${title}.service": content => template("${module_name}/ssh_instance_service.erb"), - active => true, - enable => true, + active => ($service_ensure == 'running'), + enable => $service_enable, } } else { fail ("Operating System ${facts['os']['name']} not supported, because Systemd is not available") diff --git a/spec/defines/server/instances_spec.rb b/spec/defines/server/instances_spec.rb index bf4bbc89..8ac85a2e 100644 --- a/spec/defines/server/instances_spec.rb +++ b/spec/defines/server/instances_spec.rb @@ -3,131 +3,154 @@ require 'spec_helper' describe 'ssh::server::instances' do - context 'with sftp_server present' do - let(:title) { 'sftp_server' } - let :pre_condition do - 'include ssh' - end - let(:params) do - { - 'ensure' => 'present', - 'options' => { - 'sshd_config' => { - 'Port' => 8022, - 'Protocol' => 2, - 'AddressFamily' => 'any', - 'HostKey' => '/etc/ssh/ssh_host_rsa_key', - 'SyslogFacility' => 'AUTH', - 'LogLevel' => 'INFO', - 'LoginGraceTime' => 120, - 'PermitRootLogin' => 'no', - 'StrictModes' => 'yes', - 'PubkeyAuthentication' => 'yes', - 'HostbasedAuthentication' => 'no', - 'IgnoreUserKnownHosts' => 'no', - 'IgnoreRhosts' => 'yes', - 'PasswordAuthentication' => 'yes', - 'ChallengeResponseAuthentication' => 'no', - 'GSSAPIAuthentication' => 'no', - 'GSSAPIKeyExchange' => 'no', - 'GSSAPICleanupCredentials' => 'yes', - 'UsePAM' => 'yes', - 'AcceptEnv' => %w[LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL], - 'AllowTcpForwarding' => 'no', - 'X11Forwarding' => 'no', - 'X11UseLocalhost' => 'yes', - 'PrintMotd' => 'yes', - 'TCPKeepAlive' => 'yes', - 'ClientAliveInterval' => 0, - 'ClientAliveCountMax' => 0, - 'UseDNS' => 'no', - 'PermitTunnel' => 'no', - 'Banner' => '/etc/ssh/sshd_banner.txt', - 'XAuthLocation' => '/usr/bin/xauth', - 'Subsystem' => 'sftp /usr/libexec/openssh/sftp-server', - 'Ciphers' => %w[aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc], - 'AllowGroups' => 'root lclssh ssh_all_systems VmAdmins', - }, - 'sshd_service_options' => '', - 'match_blocks' => { - '*,!ssh_exempt_ldap_authkey,!sshlokey' => { - 'type' => 'group', - 'options' => { - 'AuthorizedKeysCommand' => '/usr/local/bin/getauthkey', - 'AuthorizedKeysCommandUser' => 'nobody', - 'AuthorizedKeysFile' => '/dev/null', + on_supported_os.each do |os, os_facts| + context "on #{os}", if: os_facts[:kernel] == 'Linux' do + let(:facts) { os_facts } + let(:title) { 'sftp_server' } + let :pre_condition do + 'include ssh' + end + + context 'with sftp_server present' do + let(:params) do + { + 'ensure' => 'present', + 'options' => { + 'sshd_config' => { + 'Port' => 8022, + 'Protocol' => 2, + 'AddressFamily' => 'any', + 'HostKey' => '/etc/ssh/ssh_host_rsa_key', + 'SyslogFacility' => 'AUTH', + 'LogLevel' => 'INFO', + 'LoginGraceTime' => 120, + 'PermitRootLogin' => 'no', + 'StrictModes' => 'yes', + 'PubkeyAuthentication' => 'yes', + 'HostbasedAuthentication' => 'no', + 'IgnoreUserKnownHosts' => 'no', + 'IgnoreRhosts' => 'yes', + 'PasswordAuthentication' => 'yes', + 'ChallengeResponseAuthentication' => 'no', + 'GSSAPIAuthentication' => 'no', + 'GSSAPIKeyExchange' => 'no', + 'GSSAPICleanupCredentials' => 'yes', + 'UsePAM' => 'yes', + 'AcceptEnv' => %w[LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT LC_IDENTIFICATION LC_ALL], + 'AllowTcpForwarding' => 'no', + 'X11Forwarding' => 'no', + 'X11UseLocalhost' => 'yes', + 'PrintMotd' => 'yes', + 'TCPKeepAlive' => 'yes', + 'ClientAliveInterval' => 0, + 'ClientAliveCountMax' => 0, + 'UseDNS' => 'no', + 'PermitTunnel' => 'no', + 'Banner' => '/etc/ssh/sshd_banner.txt', + 'XAuthLocation' => '/usr/bin/xauth', + 'Subsystem' => 'sftp /usr/libexec/openssh/sftp-server', + 'Ciphers' => %w[aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc], + 'AllowGroups' => 'root lclssh ssh_all_systems VmAdmins', + }, + 'sshd_service_options' => '', + 'match_blocks' => { + '*,!ssh_exempt_ldap_authkey,!sshlokey' => { + 'type' => 'group', + 'options' => { + 'AuthorizedKeysCommand' => '/usr/local/bin/getauthkey', + 'AuthorizedKeysCommandUser' => 'nobody', + 'AuthorizedKeysFile' => '/dev/null', + }, + }, + 'ssh_deny_pw_auth,sshdnypw' => { + 'type' => 'group', + 'options' => { + 'KbdInteractiveAuthentication' => 'no', + 'PasswordAuthentication' => 'no', + }, + }, }, }, - 'ssh_deny_pw_auth,sshdnypw' => { - 'type' => 'group', - 'options' => { - 'KbdInteractiveAuthentication' => 'no', - 'PasswordAuthentication' => 'no', + 'service_ensure' => 'running', + 'service_enable' => true, + 'validate_config_file' => true, + } + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat('/etc/ssh/sshd_config.sftp_server') } + it { is_expected.to contain_concat__fragment('sshd instance sftp_server config') } + it { is_expected.to contain_ssh__server__match_block('ssh_deny_pw_auth,sshdnypw') } + it { is_expected.to contain_ssh__server__match_block('*,!ssh_exempt_ldap_authkey,!sshlokey') } + it { is_expected.to contain_systemd__unit_file('sftp_server.service') } + it { is_expected.to contain_service('sftp_server.service') } + end + + context 'with minimal params' do + let(:params) do + { + 'ensure' => 'present', + 'options' => { + 'sshd_config' => { + 'Port' => 8022, + 'Protocol' => 2, + 'AddressFamily' => 'any', + 'HostKey' => '/etc/ssh/ssh_host_rsa_key', + 'SyslogFacility' => 'AUTH', + 'LogLevel' => 'INFO', + 'PermitRootLogin' => 'no', }, + 'sshd_service_options' => '', + 'match_blocks' => {}, }, - }, - }, - 'service_ensure' => 'running', - 'service_enable' => true, - 'validate_config_file' => true, - } - end + } + end - on_supported_os.each do |os, os_facts| - context "on #{os}" do - let(:facts) { os_facts } + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat__fragment('sshd instance sftp_server config') } + it { is_expected.to contain_systemd__unit_file('sftp_server.service').with_enable(true).with_active(true) } + it { is_expected.to contain_service('sftp_server.service').with_ensure(true).with_enable(true) } + end - if os_facts[:kernel] == 'Linux' - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_concat('/etc/ssh/sshd_config.sftp_server') } - it { is_expected.to contain_concat__fragment('sshd instance sftp_server config') } - it { is_expected.to contain_ssh__server__match_block('ssh_deny_pw_auth,sshdnypw') } - it { is_expected.to contain_ssh__server__match_block('*,!ssh_exempt_ldap_authkey,!sshlokey') } - it { is_expected.to contain_systemd__unit_file('sftp_server.service') } - it { is_expected.to contain_service('sftp_server.service') } - else - it { is_expected.to compile.and_raise_error(%r{not supported, because Systemd is not available}) } + context 'with minimal example and ensure stopped' do + let(:params) do + { + 'ensure' => 'absent', + } end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat__fragment('sshd instance sftp_server config') } + it { is_expected.to contain_systemd__unit_file('sftp_server.service').with_enable(false).with_active(false) } + it { is_expected.to contain_service('sftp_server.service').with_enable(false).with_ensure(false) } end - end - end - context 'minimal setup' do - let(:title) { 'sftp_server' } - let :pre_condition do - 'include ssh' - end - let(:params) do - { - 'ensure' => 'present', - 'options' => { - 'sshd_config' => { - 'Port' => 8022, - 'Protocol' => 2, - 'AddressFamily' => 'any', - 'HostKey' => '/etc/ssh/ssh_host_rsa_key', - 'SyslogFacility' => 'AUTH', - 'LogLevel' => 'INFO', - 'PermitRootLogin' => 'no', - }, - 'sshd_service_options' => '', - 'match_blocks' => {}, - }, - } - end + context 'with minimal example and service stopped' do + let(:params) do + { + 'service_ensure' => 'stopped', + 'service_enable' => true, + } + end - on_supported_os.each do |os, os_facts| - context "on #{os}" do - let(:facts) { os_facts } + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat__fragment('sshd instance sftp_server config') } + it { is_expected.to contain_systemd__unit_file('sftp_server.service').with_enable(true).with_active(false) } + it { is_expected.to contain_service('sftp_server.service').with_enable(true).with_ensure(false) } + end - if os_facts[:kernel] == 'Linux' - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_concat__fragment('sshd instance sftp_server config') } - it { is_expected.to contain_systemd__unit_file('sftp_server.service') } - it { is_expected.to contain_service('sftp_server.service') } - else - it { is_expected.to compile.and_raise_error(%r{not supported, because Systemd is not available}) } + context 'with minimal example and service running but not in autostart' do + let(:params) do + { + 'ensure' => 'present', + 'service_enable' => false, + } end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat__fragment('sshd instance sftp_server config') } + it { is_expected.to contain_systemd__unit_file('sftp_server.service').with_enable(false).with_active(true) } + it { is_expected.to contain_service('sftp_server.service').with_enable(false).with_ensure(true) } end end end From 3935c57e5fe7cb6bee1deb2fa69cf2b515f1f4fd Mon Sep 17 00:00:00 2001 From: Sebastian Reitenbach Date: Fri, 21 Oct 2022 16:58:38 +0200 Subject: [PATCH 169/246] Add data file for OpenBSD --- data/OpenBSD.yaml | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/data/OpenBSD.yaml b/data/OpenBSD.yaml index 07879456..bc486174 100644 --- a/data/OpenBSD.yaml +++ b/data/OpenBSD.yaml @@ -1,19 +1,14 @@ --- ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_binary: '/usr/sbin/sshd' ssh::server::sshd_config: '/etc/ssh/sshd_config' ssh::client::ssh_config: '/etc/ssh/ssh_config' ssh::server::service_name: 'sshd' ssh::sftp_server_path: '/usr/libexec/sftp-server' ssh::server::host_priv_key_group: 0 - ssh::server::default_options: ChallengeResponseAuthentication: 'no' - X11Forwarding : 'yes' - PrintMotd : 'no' - AcceptEnv : 'LANG LC_*' - Subsystem : "sftp %{lookup('ssh::sftp_server_path')}" - -ssh::client::default_options: - 'Host *': - SendEnv: 'LANG LC_*' - HashKnownHosts: 'yes' + X11Forwarding: 'yes' + PrintMotd: 'no' + AcceptEnv: 'LANG LC_*' + Subsystem: "sftp %{lookup('ssh::sftp_server_path')}" From 11d6bb42ca281ae3965b0881c0e720b3ff739468 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Fri, 28 Oct 2022 14:18:15 +0200 Subject: [PATCH 170/246] feat: add support for Ubuntu 22.04, fixes #336 --- metadata.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index ba80f959..a136a7de 100644 --- a/metadata.json +++ b/metadata.json @@ -64,7 +64,8 @@ "operatingsystem": "Ubuntu", "operatingsystemrelease": [ "18.04", - "20.04" + "20.04", + "22.04" ] }, { From c8ef6ab4cf4db511922547e47a81a213ed1f3102 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 31 Oct 2022 12:03:43 +0100 Subject: [PATCH 171/246] docs: add release v10.0.0 to CHANGELOG --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9f960627..84f7e7bc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [10.0.0] +### Added +- Add support for client "match blocks" (#332, #333) +- Add data file for OpenBSD (#339) +- Add support for service_ensure/service_enable in `ssh::server::instances` (#338) +### Changed +- Use hiera instead of params.pp (#325, #328) +### Fixed +- Fix parameter lookup for `ssh::server` and `ssh::client` (#331) + ## [9.0.0] ### Added - Support for multiple instances (#318, #319, #321) - Thanks! From 5019eecb243ee8ccf40beb9be2e3f452b49bea9b Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 31 Oct 2022 12:04:54 +0100 Subject: [PATCH 172/246] release: v10.0.0 --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index a136a7de..6bf06bd0 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "9.0.0", + "version": "10.0.0", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "license": "Apache-2.0", From 66bce3f5b2999d076dde55149a255fb2a42d604d Mon Sep 17 00:00:00 2001 From: Bryan Hundven Date: Thu, 15 Dec 2022 11:32:40 -0800 Subject: [PATCH 173/246] Add AIX support `server_package_name` and `client_package_name` are not set, as the package is builtin. Signed-off-by: Bryan Hundven --- data/AIX.yaml | 16 ++++++++++++++++ metadata.json | 5 ++++- 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 data/AIX.yaml diff --git a/data/AIX.yaml b/data/AIX.yaml new file mode 100644 index 00000000..7ee10d47 --- /dev/null +++ b/data/AIX.yaml @@ -0,0 +1,16 @@ +--- +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_binary: '/usr/sbin/sshd' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::server::ssh_config: '/etc/ssh/ssh_config' +ssh::server::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' +ssh::server::service_name: 'sshd' +ssh::sftp_server_path: '/usr/sbin/sftp-server' +ssh::server::host_priv_key_group: 0 +ssh::server::default_options: + AcceptEnv: 'LANG LC_*' + ChallengeResponseAuthentication: 'no' + PrintMotd: 'no' + Subsystem: "sftp %{lookup('ssh::sftp_server_path')}" + UsePAM: 'no' + X11Forwarding: 'yes' diff --git a/metadata.json b/metadata.json index 6bf06bd0..a58055af 100644 --- a/metadata.json +++ b/metadata.json @@ -65,7 +65,7 @@ "operatingsystemrelease": [ "18.04", "20.04", - "22.04" + "22.04" ] }, { @@ -111,6 +111,9 @@ }, { "operatingsystem": "Archlinux" + }, + { + "operatingsystem": "AIX" } ], "requirements": [ From f2ee4b2be21ad72299a00d705524e431d4dc44c6 Mon Sep 17 00:00:00 2001 From: Rehan Mahmood Date: Sat, 31 Dec 2022 23:02:55 -0500 Subject: [PATCH 174/246] Fix for service name on latest versions of opensuse. --- data/Suse.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/data/Suse.yaml b/data/Suse.yaml index 30639fa7..84b48b49 100644 --- a/data/Suse.yaml +++ b/data/Suse.yaml @@ -5,5 +5,6 @@ ssh::server::sshd_dir: '/etc/ssh' ssh::server::sshd_binary: '/usr/sbin/sshd' ssh::server::sshd_config: '/etc/ssh/sshd_config' ssh::server::sshd_environments_file: '/etc/sysconfig/ssh' +ssh::server::service_name: 'sshd' ssh::client::ssh_config: '/etc/ssh/ssh_config' ssh::server::host_priv_key_group: 0 From 687d908a4b721421a9d6c4ee168498c3e3fd93fc Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Fri, 27 Jan 2023 12:04:15 -0700 Subject: [PATCH 175/246] bump puppet/systemd to < 5.0.0 --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 6bf06bd0..ade73363 100644 --- a/metadata.json +++ b/metadata.json @@ -17,7 +17,7 @@ }, { "name": "puppet/systemd", - "version_requirement": ">= 3.7.0 < 4.0.0" + "version_requirement": ">= 3.7.0 < 5.0.0" } ], "operatingsystem_support": [ From 76f77808b08143a959cb4ddb2acea3f9a48c3018 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Tue, 31 Jan 2023 17:08:34 -0700 Subject: [PATCH 176/246] force gha acceptance tests to `runs-on: ubuntu-20.04` Per @bastelfreak, the systemd version in the EL7 docker images is unhappy on Ubuntu 22.04. This issue isn't occuring in the shared voxpupli workflow because the runner version is pinned: https://github.com/voxpupuli/gha-puppet/blob/v1/.github/workflows/beaker.yml#L112 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d946464c..82651fd8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -56,7 +56,7 @@ jobs: run: bundle exec rake parallel_spec acceptance: needs: setup_matrix - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 env: BUNDLE_WITHOUT: development:test:release strategy: From 795880345a769e651fe93083b1aa80f54fa6b91c Mon Sep 17 00:00:00 2001 From: Tomas Barton Date: Thu, 16 Feb 2023 14:55:48 +0100 Subject: [PATCH 177/246] Support assigning multiple tags to a hostkey --- README.md | 16 +++++++++ manifests/hostkeys.pp | 27 +++++++++----- spec/classes/hostkeys_spec.rb | 67 +++++++++++++++++++++++++++++++++++ 3 files changed, 102 insertions(+), 8 deletions(-) create mode 100644 spec/classes/hostkeys_spec.rb diff --git a/README.md b/README.md index 3c6770ca..ae354185 100644 --- a/README.md +++ b/README.md @@ -348,6 +348,22 @@ class YOURCUSTOMCLASS { } ``` +## Tag hostkey + +Assign tags to exported `sshkey` resources (when `ssh::storeconfigs_enabled` is set to `true`). + +```yaml +ssh::hostkeys::tags: + - hostkey_group1 + - hostkey_group2 +``` + +Host keys then can be imported using: + +```puppet +Sshkey <<| tag == "hostkey_group1" |>> +``` + ## Excluding network interfaces or ipaddresses Use hiera to exclude interfaces or ipaddresses from hostkey inclusion diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index 0d66c85e..28463d44 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -19,13 +19,17 @@ # @param use_trusted_facts # Whether to use trusted or normal facts # +# @param tags +# Array of custom tags +# class ssh::hostkeys ( - Boolean $export_ipaddresses = true, - Optional[String[1]] $storeconfigs_group = undef, - Array $extra_aliases = [], - Array $exclude_interfaces = [], - Array $exclude_ipaddresses = [], - Boolean $use_trusted_facts = false, + Boolean $export_ipaddresses = true, + Optional[String[1]] $storeconfigs_group = undef, + Array $extra_aliases = [], + Array $exclude_interfaces = [], + Array $exclude_ipaddresses = [], + Boolean $use_trusted_facts = false, + Optional[Array[String[1]]] $tags = undef, ) { if $use_trusted_facts { $fqdn_real = $trusted['certname'] @@ -44,8 +48,14 @@ $host_aliases = sort(unique(flatten([$fqdn_real, $hostname_real, $extra_aliases]))) } - if $storeconfigs_group { - tag 'hostkey_all', "hostkey_${storeconfigs_group}" + $storeconfigs_groups = $storeconfigs_group ? { + undef => [], + default => ['hostkey_all', "hostkey_${storeconfigs_group}"], + } + + $_tags = $tags ? { + undef => $storeconfigs_groups, + default => $storeconfigs_groups + $tags, } ['dsa', 'rsa', 'ecdsa', 'ed25519'].each |String $key_type| { @@ -63,6 +73,7 @@ host_aliases => $host_aliases, type => $key_type_real, key => $facts['ssh'][$key_type]['key'], + tag => $_tags, } } else { @@sshkey { "${fqdn_real}_${key_type}": diff --git a/spec/classes/hostkeys_spec.rb b/spec/classes/hostkeys_spec.rb new file mode 100644 index 00000000..9602e414 --- /dev/null +++ b/spec/classes/hostkeys_spec.rb @@ -0,0 +1,67 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'ssh::hostkeys', type: 'class' do + _, os_facts = on_supported_os.first + + let(:facts) { os_facts } + + context 'with tags' do + let(:params) do + { + tags: %w[group1 group2] + } + end + + %w[dsa rsa ecdsa ed25519].each do |key_type| + it { + expect(exported_resources).to contain_sshkey("foo.example.com_#{key_type}"). + with( + ensure: 'present', + type: %r{^#{key_type}}, + tag: %w[group1 group2] + ) + } + end + end + + context 'with storeconfigs_group' do + let(:params) do + { + storeconfigs_group: 'server_group', + } + end + + %w[dsa rsa ecdsa ed25519].each do |key_type| + it { + expect(exported_resources).to contain_sshkey("foo.example.com_#{key_type}"). + with( + ensure: 'present', + type: %r{^#{key_type}}, + tag: %w[hostkey_all hostkey_server_group] + ) + } + end + end + + context 'with storeconfigs_group and tags' do + let(:params) do + { + storeconfigs_group: 'server_group', + tags: %w[group1 group2], + } + end + + %w[dsa rsa ecdsa ed25519].each do |key_type| + it { + expect(exported_resources).to contain_sshkey("foo.example.com_#{key_type}"). + with( + ensure: 'present', + type: %r{^#{key_type}}, + tag: %w[hostkey_all hostkey_server_group group1 group2] + ) + } + end + end +end From 1d722f11492a5d9e7f02cfd339def4ff97da59d3 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Thu, 13 Apr 2023 08:12:51 +0200 Subject: [PATCH 178/246] fix: run hostkeys spec only for `rsa` keys --- spec/classes/hostkeys_spec.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/spec/classes/hostkeys_spec.rb b/spec/classes/hostkeys_spec.rb index 9602e414..1f9dd9e4 100644 --- a/spec/classes/hostkeys_spec.rb +++ b/spec/classes/hostkeys_spec.rb @@ -14,7 +14,7 @@ } end - %w[dsa rsa ecdsa ed25519].each do |key_type| + %w[rsa].each do |key_type| it { expect(exported_resources).to contain_sshkey("foo.example.com_#{key_type}"). with( @@ -33,7 +33,7 @@ } end - %w[dsa rsa ecdsa ed25519].each do |key_type| + %w[rsa].each do |key_type| it { expect(exported_resources).to contain_sshkey("foo.example.com_#{key_type}"). with( @@ -53,7 +53,7 @@ } end - %w[dsa rsa ecdsa ed25519].each do |key_type| + %w[rsa].each do |key_type| it { expect(exported_resources).to contain_sshkey("foo.example.com_#{key_type}"). with( From 67eca78f44cd69a1f1dc4975f218b1aaeb65f738 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Thu, 13 Apr 2023 08:22:42 +0200 Subject: [PATCH 179/246] Update from modulesync_config --- .github/workflows/ci.yml | 88 ++++------------------------------- .github/workflows/release.yml | 32 ++++--------- .gitignore | 36 +++++++------- .msync.yml | 2 +- .puppet-lint.rc | 3 ++ Dockerfile | 2 +- Gemfile | 13 +++--- Rakefile | 38 ++------------- spec/spec_helper.rb | 2 + 9 files changed, 56 insertions(+), 160 deletions(-) create mode 100644 .puppet-lint.rc diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d946464c..8a077911 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,83 +4,15 @@ name: CI -on: - - pull_request - - push +on: pull_request -jobs: - setup_matrix: - name: 'Setup Test Matrix' - runs-on: ubuntu-latest - timeout-minutes: 40 - outputs: - puppet_unit_test_matrix: ${{ steps.get-outputs.outputs.puppet_unit_test_matrix }} - github_action_test_matrix: ${{ steps.get-outputs.outputs.github_action_test_matrix }} - env: - BUNDLE_WITHOUT: development:system_tests:release - steps: - - uses: actions/checkout@v2 - - name: Setup ruby - uses: ruby/setup-ruby@v1 - with: - ruby-version: '3.0' - bundler-cache: true - - name: Run static validations - run: bundle exec rake validate lint check - - name: Run rake rubocop - run: bundle exec rake rubocop - - name: Setup Test Matrix - id: get-outputs - run: bundle exec metadata2gha --use-fqdn --pidfile-workaround false +concurrency: + group: ${{ github.ref_name }} + cancel-in-progress: true - unit: - needs: setup_matrix - runs-on: ubuntu-latest - timeout-minutes: 40 - strategy: - fail-fast: false - matrix: - include: ${{fromJson(needs.setup_matrix.outputs.puppet_unit_test_matrix)}} - env: - BUNDLE_WITHOUT: development:system_tests:release - PUPPET_VERSION: "~> ${{ matrix.puppet }}.0" - name: Puppet ${{ matrix.puppet }} (Ruby ${{ matrix.ruby }}) - steps: - - uses: actions/checkout@v2 - - name: Setup ruby - uses: ruby/setup-ruby@v1 - with: - ruby-version: ${{ matrix.ruby }} - bundler-cache: true - - name: Run tests - run: bundle exec rake parallel_spec - acceptance: - needs: setup_matrix - runs-on: ubuntu-latest - env: - BUNDLE_WITHOUT: development:test:release - strategy: - fail-fast: false - matrix: - include: ${{fromJson(needs.setup_matrix.outputs.github_action_test_matrix)}} - name: ${{ matrix.puppet.name }} - ${{ matrix.setfile.name }} - steps: - - uses: actions/checkout@v2 - - name: Setup ruby - uses: ruby/setup-ruby@v1 - with: - ruby-version: '3.0' - bundler-cache: true - - name: Run tests - run: bundle exec rake beaker - env: - BEAKER_PUPPET_COLLECTION: ${{ matrix.puppet.collection }} - BEAKER_setfile: ${{ matrix.setfile.value }} - tests: - needs: - - unit - - acceptance - runs-on: ubuntu-latest - name: Test suite - steps: - - run: echo Test suite completed +jobs: + puppet: + name: Puppet + uses: voxpupuli/gha-puppet/.github/workflows/beaker.yml@v1 + with: + pidfile_workaround: 'false' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1e4f916c..0fc788e7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,26 +9,14 @@ on: tags: - '*' -env: - BUNDLE_WITHOUT: development:test:system_tests - jobs: - deploy: - name: 'deploy to forge' - runs-on: ubuntu-latest - if: github.repository_owner == 'saz' - steps: - - name: Checkout repository - uses: actions/checkout@v2 - - name: Setup Ruby - uses: ruby/setup-ruby@v1 - with: - ruby-version: '2.7' - bundler-cache: true - - name: Build and Deploy - env: - # Configure secrets here: - # https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets - BLACKSMITH_FORGE_USERNAME: '${{ secrets.PUPPET_FORGE_USERNAME }}' - BLACKSMITH_FORGE_API_KEY: '${{ secrets.PUPPET_FORGE_API_KEY }}' - run: bundle exec rake module:push + release: + name: Release + uses: voxpupuli/gha-puppet/.github/workflows/release.yml@v1 + with: + allowed_owner: 'saz' + secrets: + # Configure secrets here: + # https://docs.github.com/en/actions/security-guides/encrypted-secrets + username: ${{ secrets.PUPPET_FORGE_USERNAME }} + api_key: ${{ secrets.PUPPET_FORGE_API_KEY }} diff --git a/.gitignore b/.gitignore index 9b95224c..84fd904c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,23 +1,23 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -pkg/ -Gemfile.lock -Gemfile.local -vendor/ -.vendor/ -spec/fixtures/manifests/ -spec/fixtures/modules/ -.vagrant/ -.bundle/ -.ruby-version -coverage/ -log/ -.idea/ -.dependencies/ -.librarian/ -Puppetfile.lock +/pkg/ +/Gemfile.lock +/Gemfile.local +/vendor/ +/.vendor/ +/spec/fixtures/manifests/ +/spec/fixtures/modules/ +/.vagrant/ +/.bundle/ +/.ruby-version +/coverage/ +/log/ +/.idea/ +/.dependencies/ +/.librarian/ +/Puppetfile.lock *.iml .*.sw? -.yardoc/ -Guardfile +/.yardoc/ +/Guardfile diff --git a/.msync.yml b/.msync.yml index 9c9f18f9..f3156d15 100644 --- a/.msync.yml +++ b/.msync.yml @@ -2,4 +2,4 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -modulesync_config_version: '4.1.0' +modulesync_config_version: '5.4.0' diff --git a/.puppet-lint.rc b/.puppet-lint.rc new file mode 100644 index 00000000..dd8272c7 --- /dev/null +++ b/.puppet-lint.rc @@ -0,0 +1,3 @@ +--fail-on-warnings +--no-parameter_documentation-check +--no-parameter_types-check diff --git a/Dockerfile b/Dockerfile index e3cf307f..8dd82d63 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ WORKDIR /opt/puppet # https://github.com/puppetlabs/puppet/blob/06ad255754a38f22fb3a22c7c4f1e2ce453d01cb/lib/puppet/provider/service/runit.rb#L39 RUN mkdir -p /etc/sv -ARG PUPPET_VERSION="~> 6.0" +ARG PUPPET_GEM_VERSION="~> 6.0" ARG PARALLEL_TEST_PROCESSORS=4 # Cache gems diff --git a/Gemfile b/Gemfile index 963a5e3f..15313c38 100644 --- a/Gemfile +++ b/Gemfile @@ -1,13 +1,13 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -source ENV['GEM_SOURCE'] || "https://rubygems.org" +source ENV['GEM_SOURCE'] || 'https://rubygems.org' group :test do - gem 'voxpupuli-test', '~> 5.0', :require => false + gem 'voxpupuli-test', '~> 5.4', :require => false gem 'coveralls', :require => false gem 'simplecov-console', :require => false - gem 'puppet_metadata', '~> 1.0', :require => false + gem 'puppet_metadata', '~> 2.0', :require => false end group :development do @@ -20,15 +20,14 @@ group :system_tests do end group :release do - gem 'github_changelog_generator', '>= 1.16.1', :require => false - gem 'voxpupuli-release', '>= 1.2.0', :require => false - gem 'puppet-strings', '>= 2.2', :require => false + gem 'github_changelog_generator', '>= 1.16.1', :require => false if RUBY_VERSION >= '2.5' + gem 'voxpupuli-release', '~> 2.0', :require => false end gem 'rake', :require => false gem 'facter', ENV['FACTER_GEM_VERSION'], :require => false, :groups => [:test] -puppetversion = ENV['PUPPET_VERSION'] || '>= 6.0' +puppetversion = ENV['PUPPET_GEM_VERSION'] || '>= 6.0' gem 'puppet', puppetversion, :require => false, :groups => [:test] # vim: syntax=ruby diff --git a/Rakefile b/Rakefile index 5dacb6a4..9e7edf74 100644 --- a/Rakefile +++ b/Rakefile @@ -1,7 +1,7 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -# Attempt to load voxupuli-test (which pulls in puppetlabs_spec_helper), +# Attempt to load voxpupuli-test (which pulls in puppetlabs_spec_helper), # otherwise attempt to load it directly. begin require 'voxpupuli/test/rake' @@ -24,6 +24,10 @@ end begin require 'voxpupuli/release/rake_tasks' rescue LoadError + # voxpupuli-release not present +else + GCGConfig.user = 'saz' + GCGConfig.project = 'puppet-ssh' end desc "Run main 'test' task and report merged results to coveralls" @@ -37,36 +41,4 @@ task test_with_coveralls: [:test] do end end -desc 'Generate REFERENCE.md' -task :reference, [:debug, :backtrace] do |t, args| - patterns = '' - Rake::Task['strings:generate:reference'].invoke(patterns, args[:debug], args[:backtrace]) -end - -begin - require 'github_changelog_generator/task' - require 'puppet_blacksmith' - GitHubChangelogGenerator::RakeTask.new :changelog do |config| - metadata = Blacksmith::Modulefile.new - config.future_release = "v#{metadata.version}" if metadata.version =~ /^\d+\.\d+.\d+$/ - config.header = "# Changelog\n\nAll notable changes to this project will be documented in this file.\nEach new release typically also includes the latest modulesync defaults.\nThese should not affect the functionality of the module." - config.exclude_labels = %w{duplicate question invalid wontfix wont-fix modulesync skip-changelog} - config.user = 'saz' - config.project = metadata.metadata['name'] - end - - # Workaround for https://github.com/github-changelog-generator/github-changelog-generator/issues/715 - require 'rbconfig' - if RbConfig::CONFIG['host_os'] =~ /linux/ - task :changelog do - puts 'Fixing line endings...' - changelog_file = File.join(__dir__, 'CHANGELOG.md') - changelog_txt = File.read(changelog_file) - new_contents = changelog_txt.gsub(%r{\r\n}, "\n") - File.open(changelog_file, "w") {|file| file.puts new_contents } - end - end - -rescue LoadError -end # vim: syntax=ruby diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 4d617f39..6515b7bf 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -9,6 +9,8 @@ require 'voxpupuli/test/spec_helper' +add_mocked_facts! + if File.exist?(File.join(__dir__, 'default_module_facts.yml')) facts = YAML.safe_load(File.read(File.join(__dir__, 'default_module_facts.yml'))) facts&.each do |name, value| From 016c7015250d12ca8a9249c6e5fda9a9386b4bf4 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 15 Apr 2023 09:46:36 +0200 Subject: [PATCH 180/246] prepare release v10.1.0 --- CHANGELOG.md | 9 +++++++++ metadata.json | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 84f7e7bc..2158ba8c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [10.1.0] +### Added +- Support assigning multiple tags to a hostkey (#345) +- Add AIX support (#341) +### Changed +- bump puppet/systemd to < 5.0.0 (#344) +### Fixed +- Fix for service name on latest versions of opensuse. (#343) + ## [10.0.0] ### Added - Add support for client "match blocks" (#332, #333) diff --git a/metadata.json b/metadata.json index 7ad0ce0d..f1b3b16f 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "10.0.0", + "version": "10.1.0", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "license": "Apache-2.0", From 6eb06e8275781dddbb87397b02d6dc0346b02a3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Keller?= Date: Wed, 26 Apr 2023 15:10:32 +0200 Subject: [PATCH 181/246] Replace deprecated functions --- manifests/server/config/setting.pp | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/manifests/server/config/setting.pp b/manifests/server/config/setting.pp index 4df78789..7c114f3d 100644 --- a/manifests/server/config/setting.pp +++ b/manifests/server/config/setting.pp @@ -17,18 +17,15 @@ ) { include ssh::server - if is_bool($value) { - $real_value = $value ? { + $real_value = $value ? { + Boolean => $value ? { true => 'yes', false => 'no', default => undef - } - } elsif is_array($value) { - $real_value = join($value, ' ') - } elsif is_hash($value) { - fail('Hash values are not supported') - } else { - $real_value = $value + }, + Array => join($value, ' '), + Hash => fail('Hash values are not supported'), + default => $value, } concat::fragment { "ssh_setting_${name}_${key}": From 5944c09cf7df33ce7705bf038e0c1238ec79bd7b Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sun, 30 Apr 2023 12:08:53 +0200 Subject: [PATCH 182/246] Update from modulesync_config --- .msync.yml | 2 +- .pmtignore | 64 +++++++++++++++++++++++++++--------------------------- Gemfile | 3 ++- 3 files changed, 35 insertions(+), 34 deletions(-) diff --git a/.msync.yml b/.msync.yml index f3156d15..a4b00691 100644 --- a/.msync.yml +++ b/.msync.yml @@ -2,4 +2,4 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -modulesync_config_version: '5.4.0' +modulesync_config_version: '5.5.0' diff --git a/.pmtignore b/.pmtignore index 65f50514..58a04088 100644 --- a/.pmtignore +++ b/.pmtignore @@ -1,37 +1,37 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -docs/ -pkg/ -Gemfile -Gemfile.lock -Gemfile.local -vendor/ -.vendor/ -spec/ -Rakefile -.vagrant/ -.bundle/ -.ruby-version -coverage/ -log/ -.idea/ -.dependencies/ -.github/ -.librarian/ -Puppetfile.lock +/docs/ +/pkg/ +/Gemfile +/Gemfile.lock +/Gemfile.local +/vendor/ +/.vendor/ +/spec/ +/Rakefile +/.vagrant/ +/.bundle/ +/.ruby-version +/coverage/ +/log/ +/.idea/ +/.dependencies/ +/.github/ +/.librarian/ +/Puppetfile.lock *.iml -.editorconfig -.fixtures.yml -.gitignore -.msync.yml -.overcommit.yml -.pmtignore -.rspec -.rspec_parallel -.rubocop.yml -.sync.yml +/.editorconfig +/.fixtures.yml +/.gitignore +/.msync.yml +/.overcommit.yml +/.pmtignore +/.rspec +/.rspec_parallel +/.rubocop.yml +/.sync.yml .*.sw? -.yardoc/ -.yardopts -Dockerfile +/.yardoc/ +/.yardopts +/Dockerfile diff --git a/Gemfile b/Gemfile index 15313c38..0d3a9e08 100644 --- a/Gemfile +++ b/Gemfile @@ -22,12 +22,13 @@ end group :release do gem 'github_changelog_generator', '>= 1.16.1', :require => false if RUBY_VERSION >= '2.5' gem 'voxpupuli-release', '~> 2.0', :require => false + gem 'faraday-retry', '~> 2.1', :require => false if RUBY_VERSION >= '2.6' end gem 'rake', :require => false gem 'facter', ENV['FACTER_GEM_VERSION'], :require => false, :groups => [:test] -puppetversion = ENV['PUPPET_GEM_VERSION'] || '>= 6.0' +puppetversion = ENV['PUPPET_GEM_VERSION'] || '~> 7.24' gem 'puppet', puppetversion, :require => false, :groups => [:test] # vim: syntax=ruby From b1dcc12e35583d2b362182a9d4acec3c14958f32 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Fri, 26 May 2023 09:22:20 +0200 Subject: [PATCH 183/246] Add support for concat v8 --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index f1b3b16f..55543363 100644 --- a/metadata.json +++ b/metadata.json @@ -13,7 +13,7 @@ }, { "name": "puppetlabs/concat", - "version_requirement": ">= 2.2.0 < 8.0.0" + "version_requirement": ">= 2.2.0 < 9.0.0" }, { "name": "puppet/systemd", From 2b18a72f1adeba0ec1e37ab9289cc0cf3f9a78d2 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Fri, 26 May 2023 09:34:05 +0200 Subject: [PATCH 184/246] prepare release v10.2.0 --- CHANGELOG.md | 5 +++++ metadata.json | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2158ba8c..cf2bb782 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [10.2.0] +### Changed +- bump puppetlabs/concat to < 9.0.0 (#352) +- Replace deprecated functions (#350) + ## [10.1.0] ### Added - Support assigning multiple tags to a hostkey (#345) diff --git a/metadata.json b/metadata.json index f1b3b16f..ba660061 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "10.1.0", + "version": "10.2.0", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "license": "Apache-2.0", From 03b28c1464e5d35bb3be42cdec40d1bda2412508 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sat, 3 Jun 2023 20:12:37 +0200 Subject: [PATCH 185/246] puppetlabs/stdlib: Require 9.x --- manifests/client/install.pp | 2 +- manifests/server/install.pp | 2 +- metadata.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/client/install.pp b/manifests/client/install.pp index 379cea2e..daa9a1b3 100644 --- a/manifests/client/install.pp +++ b/manifests/client/install.pp @@ -7,7 +7,7 @@ assert_private() if $ssh::client::client_package_name { - ensure_packages([ + stdlib::ensure_packages([ $ssh::client::client_package_name, ], { 'ensure' => $ssh::client::ensure, diff --git a/manifests/server/install.pp b/manifests/server/install.pp index f32c3657..c8f8df8c 100644 --- a/manifests/server/install.pp +++ b/manifests/server/install.pp @@ -7,7 +7,7 @@ assert_private() if $ssh::server::server_package_name { - ensure_packages ([ + stdlib::ensure_packages ([ $ssh::server::server_package_name, ], { 'ensure' => $ssh::server::ensure, diff --git a/metadata.json b/metadata.json index 369356ef..854a7630 100644 --- a/metadata.json +++ b/metadata.json @@ -9,7 +9,7 @@ "dependencies": [ { "name": "puppetlabs/stdlib", - "version_requirement": ">= 4.25.0 < 9.0.0" + "version_requirement": ">= 9.0.0 < 10.0.0" }, { "name": "puppetlabs/concat", From 7af740b0db83e6ec1bfc59a285cf952cf04c2c8b Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 30 Jun 2023 10:50:13 +0200 Subject: [PATCH 186/246] puppetlabs/concat: Allow 9.x --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 854a7630..976b3d21 100644 --- a/metadata.json +++ b/metadata.json @@ -13,7 +13,7 @@ }, { "name": "puppetlabs/concat", - "version_requirement": ">= 2.2.0 < 9.0.0" + "version_requirement": ">= 2.2.0 < 10.0.0" }, { "name": "puppet/systemd", From 809c3155d87ae391c12463db593b660cfe4f11f4 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 30 Jun 2023 10:50:41 +0200 Subject: [PATCH 187/246] puppet/systemd: Allow 5.x --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 976b3d21..848383a7 100644 --- a/metadata.json +++ b/metadata.json @@ -17,7 +17,7 @@ }, { "name": "puppet/systemd", - "version_requirement": ">= 3.7.0 < 5.0.0" + "version_requirement": ">= 3.7.0 < 6.0.0" } ], "operatingsystem_support": [ From ea89c7cd969e54ad533952c8bf05accf99dbed66 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Fri, 30 Jun 2023 10:50:54 +0200 Subject: [PATCH 188/246] cleanup .fixtures.yml --- .fixtures.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.fixtures.yml b/.fixtures.yml index af1fa799..fde683af 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -3,6 +3,4 @@ fixtures: stdlib: "https://github.com/puppetlabs/puppetlabs-stdlib" concat: "https://github.com/puppetlabs/puppetlabs-concat" systemd: "https://github.com/voxpupuli/puppet-systemd" - sshkeys_core: - repo: "https://github.com/puppetlabs/puppetlabs-sshkeys_core" - puppet_version: ">= 6.0.0" + sshkeys_core: "https://github.com/puppetlabs/puppetlabs-sshkeys_core" From 71a48dd84beb3d18210beee9045a0f26e42e9f2f Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 3 Jul 2023 11:36:19 +0200 Subject: [PATCH 189/246] Update from modulesync_config --- .msync.yml | 2 +- Gemfile | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.msync.yml b/.msync.yml index a4b00691..b929160c 100644 --- a/.msync.yml +++ b/.msync.yml @@ -2,4 +2,4 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -modulesync_config_version: '5.5.0' +modulesync_config_version: '6.0.0' diff --git a/Gemfile b/Gemfile index 0d3a9e08..98a04cfb 100644 --- a/Gemfile +++ b/Gemfile @@ -4,10 +4,10 @@ source ENV['GEM_SOURCE'] || 'https://rubygems.org' group :test do - gem 'voxpupuli-test', '~> 5.4', :require => false + gem 'voxpupuli-test', '~> 6.0', :require => false gem 'coveralls', :require => false gem 'simplecov-console', :require => false - gem 'puppet_metadata', '~> 2.0', :require => false + gem 'puppet_metadata', '~> 3.0', :require => false end group :development do @@ -16,13 +16,13 @@ group :development do end group :system_tests do - gem 'voxpupuli-acceptance', '~> 1.0', :require => false + gem 'voxpupuli-acceptance', '~> 2.0', :require => false end group :release do - gem 'github_changelog_generator', '>= 1.16.1', :require => false if RUBY_VERSION >= '2.5' - gem 'voxpupuli-release', '~> 2.0', :require => false - gem 'faraday-retry', '~> 2.1', :require => false if RUBY_VERSION >= '2.6' + gem 'github_changelog_generator', '>= 1.16.1', :require => false + gem 'voxpupuli-release', '~> 3.0', :require => false + gem 'faraday-retry', '~> 2.1', :require => false end gem 'rake', :require => false From e2571062894977e483fdeef6e7591ba17fff7bf5 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 3 Jul 2023 11:53:55 +0200 Subject: [PATCH 190/246] drop support for puppet 6, add Debian 12 --- metadata.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/metadata.json b/metadata.json index 848383a7..5d3ad3b5 100644 --- a/metadata.json +++ b/metadata.json @@ -57,7 +57,8 @@ "operatingsystem": "Debian", "operatingsystemrelease": [ "10", - "11" + "11", + "12" ] }, { @@ -119,7 +120,7 @@ "requirements": [ { "name": "puppet", - "version_requirement": ">= 6.1.0 < 8.0.0" + "version_requirement": ">= 7.0.0 < 9.0.0" } ] } From 404eeec51d6a06204742a8cbf794ad133cc42336 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 3 Jul 2023 14:41:11 +0200 Subject: [PATCH 191/246] prepare release: v11.0.0 --- CHANGELOG.md | 10 ++++++++++ metadata.json | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cf2bb782..59b254d6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [11.0.0] +### Removed +- BREAKING CHANGE: drop support for puppet 6 +### Changed +- puppetlabs/concat: Allow 9.x (#354) +- puppet/systemd: Allow 5.x (#354) +- puppetlabs/stdlib: Require 9.x (#354) +### Added +- add Debian 12 as supported OS + ## [10.2.0] ### Changed - bump puppetlabs/concat to < 9.0.0 (#352) diff --git a/metadata.json b/metadata.json index 5d3ad3b5..7701bee7 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "10.2.0", + "version": "11.0.0", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "license": "Apache-2.0", From d5d7cba30aa3d9f72e9680c725e4a2ea6340d156 Mon Sep 17 00:00:00 2001 From: Virus2500 Date: Thu, 3 Aug 2023 10:36:54 +0200 Subject: [PATCH 192/246] This fixes #358 --- lib/facter/ssh_server_version.rb | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/lib/facter/ssh_server_version.rb b/lib/facter/ssh_server_version.rb index 7c31d560..e18327c4 100644 --- a/lib/facter/ssh_server_version.rb +++ b/lib/facter/ssh_server_version.rb @@ -26,14 +26,7 @@ setcode do version = Facter.value('ssh_server_version_full') - case version - when %r{([0-9]+)\.([0-9]+)\.([0-9]+p[0-9]+)} - # 6.6.1p1 style formatting - version.gsub(%r{([0-9]+)\.([0-9]+)\.([0-9]+p[0-9]+)}, '\1') - when %r{^([0-9]+)\.([0-9]+p[0-9]+)} - # 7.2p2 style formatting - version.gsub(%r{^([0-9]+)\.([0-9]+p[0-9]+)}, '\1') - end + version.gsub(%r{^([0-9]+)\..*$}, '\1') end end From d2f065875de598a0a9077cbfd0d5c84388de36d1 Mon Sep 17 00:00:00 2001 From: Rene Trippen Date: Thu, 21 Sep 2023 12:43:53 +0200 Subject: [PATCH 193/246] write ciphers,macs and kex as comma-separated string As the man page of sshd_config(5) describes: "Multiple ciphers/macs/kexalgorithms must be comma-separated." Using an array or YAML list for ciphers/mac/kex results in multiple entries in sshd_config. If multiple entries are set in sshd_config, sshd takes only the first one. Fixes #361 --- templates/sshd_config.erb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index 07af0880..339434e7 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -40,22 +40,30 @@ ListenAddress <%= listen %> <%- v.keys.sort.each do |key| -%> <%- value = v[key] -%> <%- if value.is_a?(Array) -%> + <%- if ['ciphers', 'macs', 'kexalgorithms'].include?(key.downcase) -%> + <%= key %> <%= value.join(',') %> + <%- else -%> <%- value.each do |a| -%> <%- if a != '' && a != nil -%> <%= key %> <%= bool2str(a) %> <%- end -%> <%- end -%> + <%- end -%> <%- elsif value != '' && value != nil -%> <%= key %> <%= bool2str(value) %> <%- end -%> <%- end -%> <%- else -%> <%- if v.is_a?(Array) -%> +<%- if ['ciphers', 'macs', 'kexalgorithms'].include?(k.downcase) -%> +<%= k %> <%= v.join(',') %> +<%- else -%> <%- v.each do |a| -%> <%- if a != '' && a != nil -%> <%= k %> <%= bool2str(a) %> <%- end -%> <%- end -%> +<%- end -%> <%- elsif v != nil and v != '' -%> <%= k %> <%= bool2str(v) %> <%- end -%> From 2c89c874ef62f19e46062d0f5347db0413be8c6c Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 3 Oct 2023 13:25:06 +0200 Subject: [PATCH 194/246] prepare release: v11.1.0 --- CHANGELOG.md | 5 +++++ metadata.json | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 59b254d6..17f24f03 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [11.1.0] +### Fixed +- write ciphers,macs and kex as comma-separated string (#362) +- Fix "No ssh_server_version_major created with OpenSSH 9.2" (#359) + ## [11.0.0] ### Removed - BREAKING CHANGE: drop support for puppet 6 diff --git a/metadata.json b/metadata.json index 7701bee7..ba06b49c 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "11.0.0", + "version": "11.1.0", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "license": "Apache-2.0", From afe5ce9acd43f686166a8ac9aa2721db79417645 Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Thu, 12 Oct 2023 11:19:17 +0200 Subject: [PATCH 195/246] puppet/systemd: Allow 6.x --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index ba06b49c..47ade1e0 100644 --- a/metadata.json +++ b/metadata.json @@ -17,7 +17,7 @@ }, { "name": "puppet/systemd", - "version_requirement": ">= 3.7.0 < 6.0.0" + "version_requirement": ">= 3.7.0 < 7.0.0" } ], "operatingsystem_support": [ From 7e97a041906e81088e83c3e326f62d544359fa9f Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 28 Nov 2023 15:05:14 +0100 Subject: [PATCH 196/246] Update from modulesync_config (#369) * Update from modulesync_config * fix rubocop issues * install required core module on Debian for non-AIO tests --- .github/workflows/ci.yml | 2 +- .github/workflows/release.yml | 2 +- .msync.yml | 2 +- .pmtignore | 1 + Gemfile | 10 ++++------ .../sshclient_options_to_augeas_ssh_config.rb | 2 +- .../sshserver_options_to_augeas_sshd_config.rb | 2 +- spec/setup_acceptance_node.pp | 5 +++++ spec/spec_helper.rb | 1 + 9 files changed, 16 insertions(+), 11 deletions(-) create mode 100644 spec/setup_acceptance_node.pp diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8a077911..b66d8ca7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,6 +13,6 @@ concurrency: jobs: puppet: name: Puppet - uses: voxpupuli/gha-puppet/.github/workflows/beaker.yml@v1 + uses: voxpupuli/gha-puppet/.github/workflows/beaker.yml@v2 with: pidfile_workaround: 'false' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0fc788e7..af643fa0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,7 +12,7 @@ on: jobs: release: name: Release - uses: voxpupuli/gha-puppet/.github/workflows/release.yml@v1 + uses: voxpupuli/gha-puppet/.github/workflows/release.yml@v2 with: allowed_owner: 'saz' secrets: diff --git a/.msync.yml b/.msync.yml index b929160c..76cd4646 100644 --- a/.msync.yml +++ b/.msync.yml @@ -2,4 +2,4 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -modulesync_config_version: '6.0.0' +modulesync_config_version: '7.1.0' diff --git a/.pmtignore b/.pmtignore index 58a04088..10b98306 100644 --- a/.pmtignore +++ b/.pmtignore @@ -35,3 +35,4 @@ /.yardoc/ /.yardopts /Dockerfile +/HISTORY.md diff --git a/Gemfile b/Gemfile index 98a04cfb..a4a3b204 100644 --- a/Gemfile +++ b/Gemfile @@ -4,10 +4,10 @@ source ENV['GEM_SOURCE'] || 'https://rubygems.org' group :test do - gem 'voxpupuli-test', '~> 6.0', :require => false + gem 'voxpupuli-test', '~> 7.0', :require => false gem 'coveralls', :require => false gem 'simplecov-console', :require => false - gem 'puppet_metadata', '~> 3.0', :require => false + gem 'puppet_metadata', '~> 3.5', :require => false end group :development do @@ -16,13 +16,11 @@ group :development do end group :system_tests do - gem 'voxpupuli-acceptance', '~> 2.0', :require => false + gem 'voxpupuli-acceptance', '~> 3.0', :require => false end group :release do - gem 'github_changelog_generator', '>= 1.16.1', :require => false - gem 'voxpupuli-release', '~> 3.0', :require => false - gem 'faraday-retry', '~> 2.1', :require => false + gem 'voxpupuli-release', '~> 3.0', :require => false end gem 'rake', :require => false diff --git a/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb b/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb index 01c1a1f4..7bf8d719 100644 --- a/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb +++ b/lib/puppet/parser/functions/sshclient_options_to_augeas_ssh_config.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true module Puppet::Parser::Functions - newfunction(:sshclient_options_to_augeas_ssh_config, type: :rvalue, doc: <<-'DOC') do |args| + newfunction(:sshclient_options_to_augeas_ssh_config, type: :rvalue, doc: <<-DOC) do |args| This function will convert a key-value hash to a format understandable by the augeas sshd_config provider It will also optionally deal with keys that should be absent, and inject static parameters if supplied. diff --git a/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb b/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb index 39a67812..1da59bd8 100644 --- a/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb +++ b/lib/puppet/parser/functions/sshserver_options_to_augeas_sshd_config.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true module Puppet::Parser::Functions - newfunction(:sshserver_options_to_augeas_sshd_config, type: :rvalue, doc: <<-'DOC') do |args| + newfunction(:sshserver_options_to_augeas_sshd_config, type: :rvalue, doc: <<-DOC) do |args| This function will convert a key-value hash to a format understandable by the augeas sshd_config provider It will also optionally deal with keys that should be absent, and inject static parameters if supplied. diff --git a/spec/setup_acceptance_node.pp b/spec/setup_acceptance_node.pp new file mode 100644 index 00000000..756baef2 --- /dev/null +++ b/spec/setup_acceptance_node.pp @@ -0,0 +1,5 @@ +if fact('os.name') == 'Debian' and !fact('aio_agent_version') { + package { ['puppet-module-puppetlabs-sshkeys-core']: + ensure => present, + } +} diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 6515b7bf..9efb4ae6 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -17,3 +17,4 @@ add_custom_fact name.to_sym, value end end +Dir['./spec/support/spec/**/*.rb'].sort.each { |f| require f } From 7e9d28f23c19eb337cc130ccab5ecba0802be1ff Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 28 Nov 2023 15:16:53 +0100 Subject: [PATCH 197/246] prepare release: v11.2.0 (#368) --- CHANGELOG.md | 4 ++++ metadata.json | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 17f24f03..5e017bc0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [11.2.0] +### Changed +- puppet/systemd: Allow 6.x (#364) + ## [11.1.0] ### Fixed - write ciphers,macs and kex as comma-separated string (#362) diff --git a/metadata.json b/metadata.json index 47ade1e0..dc5afbbe 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "11.1.0", + "version": "11.2.0", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "license": "Apache-2.0", From 26da3e97ee66ace47a0caf02ec2d637f2589e71f Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Wed, 27 Mar 2024 10:54:48 +0100 Subject: [PATCH 198/246] allow ssh::server::ensure = latest, fixes #370 (#377) --- manifests/server.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server.pp b/manifests/server.pp index a21bbb78..7e8fc9ba 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -63,7 +63,7 @@ Stdlib::Absolutepath $sshd_binary, Integer $host_priv_key_group, Hash $default_options, - Enum[present,absent] $ensure = present, + Enum[present,absent,latest] $ensure = present, Boolean $storeconfigs_enabled = true, Hash $options = {}, Boolean $validate_sshd_file = false, From 0efe6ad951832822d70100980800e164cc6eb0d8 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Wed, 27 Mar 2024 11:19:36 +0100 Subject: [PATCH 199/246] add parameter to exclude interfaces with a regex (#378) --- lib/puppet/functions/ssh/ipaddresses.rb | 7 +++++-- manifests/hostkeys.pp | 17 +++++++++-------- spec/functions/ssh/ipaddresses_spec.rb | 24 ++++++++++++++++++------ 3 files changed, 32 insertions(+), 16 deletions(-) diff --git a/lib/puppet/functions/ssh/ipaddresses.rb b/lib/puppet/functions/ssh/ipaddresses.rb index 01f6a6de..624b71fc 100644 --- a/lib/puppet/functions/ssh/ipaddresses.rb +++ b/lib/puppet/functions/ssh/ipaddresses.rb @@ -8,12 +8,14 @@ Puppet::Functions.create_function(:'ssh::ipaddresses') do dispatch :ipaddresses do # @param excluded_interfaces An array of interface names to be excluded. + param 'Array[String[1]]', :excluded_interfaces + # @param excluded_interfaces_re An array of regexp matching interface names to be excluded. + param 'Array[Regexp]', :excluded_interfaces_re # @return The IP addresses found. - optional_param 'Array[String[1]]', :excluded_interfaces return_type 'Array[Stdlib::IP::Address]' end - def ipaddresses(excluded_interfaces = []) + def ipaddresses(excluded_interfaces, excluded_interfaces_re) facts = closure_scope['facts'] # always exclude loopback interface @@ -36,6 +38,7 @@ def ipaddresses(excluded_interfaces = []) interfaces.each do |iface, data| # skip excluded interfaces next if excluded_interfaces.include?(iface) + next if excluded_interfaces_re.any? { |pattern| pattern.match?(iface) } %w[bindings bindings6].each do |binding_type| next unless data.key?(binding_type) diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index 28463d44..8be7075c 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -23,13 +23,14 @@ # Array of custom tags # class ssh::hostkeys ( - Boolean $export_ipaddresses = true, - Optional[String[1]] $storeconfigs_group = undef, - Array $extra_aliases = [], - Array $exclude_interfaces = [], - Array $exclude_ipaddresses = [], - Boolean $use_trusted_facts = false, - Optional[Array[String[1]]] $tags = undef, + Boolean $export_ipaddresses = true, + Optional[String[1]] $storeconfigs_group = undef, + Array $extra_aliases = [], + Array $exclude_interfaces = [], + Array[Regexp] $exclude_interfaces_re = [], + Array $exclude_ipaddresses = [], + Boolean $use_trusted_facts = false, + Optional[Array[String[1]]] $tags = undef, ) { if $use_trusted_facts { $fqdn_real = $trusted['certname'] @@ -41,7 +42,7 @@ } if $export_ipaddresses == true { - $ipaddresses = ssh::ipaddresses($exclude_interfaces) + $ipaddresses = ssh::ipaddresses($exclude_interfaces, $exclude_interfaces_re) $ipaddresses_real = $ipaddresses - $exclude_ipaddresses $host_aliases = sort(unique(flatten([$fqdn_real, $hostname_real, $extra_aliases, $ipaddresses_real]))) } else { diff --git a/spec/functions/ssh/ipaddresses_spec.rb b/spec/functions/ssh/ipaddresses_spec.rb index fe5c2dd4..7490ac77 100644 --- a/spec/functions/ssh/ipaddresses_spec.rb +++ b/spec/functions/ssh/ipaddresses_spec.rb @@ -14,19 +14,31 @@ describe 'without parameters' do it 'returns all IPs other than localhost' do - is_expected.to run.and_return(['172.17.0.1', '10.13.42.61', '10.0.0.110', '10.0.0.104', '10.0.0.109']) + is_expected.to run.with_params([], []).and_return(['172.17.0.1', '10.13.42.61', '10.0.0.110', '10.0.0.104', '10.0.0.109']) end end describe 'with excluded interface' do it 'doesn\'t return the IPs of excluded interface' do - is_expected.to run.with_params(['docker0']).and_return(['10.13.42.61', '10.0.0.110', '10.0.0.104', '10.0.0.109']) + is_expected.to run.with_params(['docker0'], []).and_return(['10.13.42.61', '10.0.0.110', '10.0.0.104', '10.0.0.109']) end end describe 'with excluded interfaces' do it 'doesn\'t return the IPs of those interfaces' do - is_expected.to run.with_params(%w[docker0 eno1]).and_return([]) + is_expected.to run.with_params(%w[docker0 eno1], []).and_return([]) + end + end + + describe 'with excluded re interface' do + it 'doesn\'t return the IPs of excluded interface' do + is_expected.to run.with_params([], [%r{^docker}]).and_return(['10.13.42.61', '10.0.0.110', '10.0.0.104', '10.0.0.109']) + end + end + + describe 'with excluded re interfaces' do + it 'doesn\'t return the IPs of those interfaces' do + is_expected.to run.with_params([], [%r{docker0}, %r{no1$}]).and_return([]) end end end @@ -44,19 +56,19 @@ describe 'without parameters' do it 'returns all IPs other than localhost' do - is_expected.to run.and_return(['172.17.0.1', '10.13.42.61']) + is_expected.to run.with_params([], []).and_return(['172.17.0.1', '10.13.42.61']) end end describe 'with excluded interface' do it 'doesn\'t return the IPs of excluded interface' do - is_expected.to run.with_params(['docker0']).and_return(['10.13.42.61']) + is_expected.to run.with_params(['docker0'], []).and_return(['10.13.42.61']) end end describe 'with excluded interfaces' do it 'doesn\'t return the IPs of those interfaces' do - is_expected.to run.with_params(%w[docker0 eno1]).and_return([]) + is_expected.to run.with_params(%w[docker0 eno1], []).and_return([]) end end end From 5c46b8918b7264f55b1600142f23db519b519994 Mon Sep 17 00:00:00 2001 From: C24-AK <139950630+C24-AK@users.noreply.github.com> Date: Wed, 27 Mar 2024 11:20:30 +0100 Subject: [PATCH 200/246] Allow User to add additonal systemd options to instances (#374) --- manifests/server/instances.pp | 8 +++++--- templates/ssh_instance_service.erb | 13 +++++++++++++ 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/manifests/server/instances.pp b/manifests/server/instances.pp index 90433dc3..901f5449 100644 --- a/manifests/server/instances.pp +++ b/manifests/server/instances.pp @@ -37,9 +37,11 @@ ) { include ssh::server - $sshd_instance_config = assert_type(Hash, pick($options['sshd_config'], {})) - $sshd_instance_matchblocks = assert_type(Hash, pick($options['match_blocks'], {})) - $sshd_service_options = $options['sshd_service_options'] + $sshd_instance_config = assert_type(Hash, pick($options['sshd_config'], {})) + $sshd_instance_matchblocks = assert_type(Hash, pick($options['match_blocks'], {})) + $sshd_service_options = $options['sshd_service_options'] + $sshd_additional_service_options = $options['sshd_additional_service_options'] + #check if server is a linux if $facts['kernel'] == 'Linux' { case $validate_config_file { diff --git a/templates/ssh_instance_service.erb b/templates/ssh_instance_service.erb index 283a8116..f59164f6 100644 --- a/templates/ssh_instance_service.erb +++ b/templates/ssh_instance_service.erb @@ -9,6 +9,19 @@ After=network.target sshd-keygen.service Wants=sshd-keygen.service [Service] +<%- if @sshd_additional_service_options -%> +<%- @sshd_additional_service_options.each do |k,v| -%> +<%- if v.is_a?(Array) -%> +<%- v.each do |a| -%> +<%- if a != '' && a != nil -%> +<%= k %>=<%= bool2str(a) %> +<%- end -%> +<%- end -%> +<%- elsif v != '' && v != nil -%> +<%= k %>=<%= bool2str(v) %> +<%- end -%> +<%- end -%> +<%- end -%> <% if @sshd_environments_file %> EnvironmentFile=<%= @sshd_environments_file -%> <% end %> From 0c5e42422e8c309502fd0ab6219bc9a968b8805d Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Wed, 27 Mar 2024 11:30:13 +0100 Subject: [PATCH 201/246] prepare release: v12.0.0 (#379) --- CHANGELOG.md | 7 ++++++- metadata.json | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e017bc0..c7e4a027 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,9 +4,14 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## [11.2.0] +## [12.0.0] +### Added +- add parameter to exclude interfaces with a regex (#378) +- Allow User to add additonal systemd options to instances (#374) ### Changed - puppet/systemd: Allow 6.x (#364) +### Fixed +- allow ssh::server::ensure = latest, fixes #370 (#377) ## [11.1.0] ### Fixed diff --git a/metadata.json b/metadata.json index dc5afbbe..4f079273 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "11.2.0", + "version": "12.0.0", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "license": "Apache-2.0", From 88e70af00e643bc3352a47288f9df104554d8903 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Wed, 27 Mar 2024 15:11:15 +0100 Subject: [PATCH 202/246] make ssh::hostkeys::exclude_interfaces_re parameter work properly (#380) --- lib/puppet/functions/ssh/ipaddresses.rb | 4 ++-- manifests/hostkeys.pp | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/lib/puppet/functions/ssh/ipaddresses.rb b/lib/puppet/functions/ssh/ipaddresses.rb index 624b71fc..e3017be1 100644 --- a/lib/puppet/functions/ssh/ipaddresses.rb +++ b/lib/puppet/functions/ssh/ipaddresses.rb @@ -10,7 +10,7 @@ # @param excluded_interfaces An array of interface names to be excluded. param 'Array[String[1]]', :excluded_interfaces # @param excluded_interfaces_re An array of regexp matching interface names to be excluded. - param 'Array[Regexp]', :excluded_interfaces_re + param 'Array', :excluded_interfaces_re # @return The IP addresses found. return_type 'Array[Stdlib::IP::Address]' end @@ -38,7 +38,7 @@ def ipaddresses(excluded_interfaces, excluded_interfaces_re) interfaces.each do |iface, data| # skip excluded interfaces next if excluded_interfaces.include?(iface) - next if excluded_interfaces_re.any? { |pattern| pattern.match?(iface) } + next if excluded_interfaces_re.any? { |pattern| Regexp.new(pattern).match?(iface) } %w[bindings bindings6].each do |binding_type| next unless data.key?(binding_type) diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index 8be7075c..5839c1b8 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -13,6 +13,9 @@ # @param exclude_interfaces # List of interfaces to exclude # +# @param exclude_interfaces_re +# List of regular expressions to exclude interfaces +# # @param exclude_ipaddresses # List of ip addresses to exclude # @@ -27,7 +30,7 @@ Optional[String[1]] $storeconfigs_group = undef, Array $extra_aliases = [], Array $exclude_interfaces = [], - Array[Regexp] $exclude_interfaces_re = [], + Array $exclude_interfaces_re = [], Array $exclude_ipaddresses = [], Boolean $use_trusted_facts = false, Optional[Array[String[1]]] $tags = undef, From 54ab3bd4d06f64d152c35d3e6822d044d279f038 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Wed, 27 Mar 2024 15:16:09 +0100 Subject: [PATCH 203/246] prepare release: v12.0.1 (#381) --- CHANGELOG.md | 4 ++++ metadata.json | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c7e4a027..0471cfc3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [12.0.1] +### Fixed +- make ssh::hostkeys::exclude_interfaces_re parameter work properly (#380) + ## [12.0.0] ### Added - add parameter to exclude interfaces with a regex (#378) diff --git a/metadata.json b/metadata.json index 4f079273..c1f50843 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "12.0.0", + "version": "12.0.1", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "license": "Apache-2.0", From f8a311052793e07b6c41de6b53bc8fec89214520 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 18 May 2024 11:59:40 +0200 Subject: [PATCH 204/246] allow puppet/systemd < 8, fixes #382 --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index c1f50843..9a306fea 100644 --- a/metadata.json +++ b/metadata.json @@ -17,7 +17,7 @@ }, { "name": "puppet/systemd", - "version_requirement": ">= 3.7.0 < 7.0.0" + "version_requirement": ">= 3.7.0 < 8.0.0" } ], "operatingsystem_support": [ From 266b19f56abda2185c41e35c339583f4db4a2876 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Thu, 23 May 2024 11:57:54 +0200 Subject: [PATCH 205/246] fix tests on OpenBSD (#384) --- spec/classes/init_spec.rb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index f4ffdb2c..285421bf 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -62,6 +62,11 @@ ssh_config_expected_custom = "# File managed by Puppet\n\nHostFoo\n HostName bar\nSomeOtherKey someValue\n" sshd_config_default = "# File is managed by Puppet\n\nChallengeResponseAuthentication no\nHostKey /etc/ssh/ssh_host_rsa_key\nHostKey /etc/ssh/ssh_host_dsa_key\nPrintMotd no\nSubsystem sftp #{sftp_server_path}\nX11Forwarding yes\n" sshd_config_custom = "# File is managed by Puppet\n\nChallengeResponseAuthentication no\nHostKey /etc/ssh/ssh_host_rsa_key\nHostKey /etc/ssh/ssh_host_dsa_key\nPrintMotd no\nSomeOtherKey someValue\nSubsystem sftp #{sftp_server_path}\nUsePAM no\nX11Forwarding no\n" + when 'OpenBSD' + ssh_config_expected_default = "# File managed by Puppet\n\nHost *\n HashKnownHosts yes\n SendEnv LANG LC_*\n" + ssh_config_expected_custom = "# File managed by Puppet\n\nHostFoo\n HostName bar\nSomeOtherKey someValue\nHost *\n HashKnownHosts yes\n SendEnv LANG LC_*\n" + sshd_config_default = "# File is managed by Puppet\n\nAcceptEnv LANG LC_*\nChallengeResponseAuthentication no\nPrintMotd no\nSubsystem sftp #{sftp_server_path}\nX11Forwarding yes\n" + sshd_config_custom = "# File is managed by Puppet\n\nAcceptEnv LANG LC_*\nChallengeResponseAuthentication no\nPrintMotd no\nSomeOtherKey someValue\nSubsystem sftp #{sftp_server_path}\nUsePAM no\nX11Forwarding no\n" else ssh_config_expected_default = "# File managed by Puppet\n\nHost *\n HashKnownHosts yes\n SendEnv LANG LC_*\n" ssh_config_expected_custom = "# File managed by Puppet\n\nHostFoo\n HostName bar\nSomeOtherKey someValue\nHost *\n HashKnownHosts yes\n SendEnv LANG LC_*\n" From 665feba599a72e968320b319e9c55084e316ab65 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Thu, 23 May 2024 12:06:27 +0200 Subject: [PATCH 206/246] set sshd config mode to 0644 on AIX, fixes #371 (#383) --- README.md | 2 +- data/AIX.yaml | 1 + data/common.yaml | 1 + manifests/server.pp | 4 ++++ manifests/server/config.pp | 4 ++-- 5 files changed, 9 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index ae354185..4dc01202 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Puppet SSH [![Support via Gratipay](https://cdn.rawgit.com/gratipay/gratipay-badge/2.3.0/dist/gratipay.svg)](https://gratipay.com/~saz/) +# Puppet SSH [![Puppet Forge modules by saz](https://img.shields.io/puppetforge/mc/saz.svg)](https://forge.puppetlabs.com/saz) [![Puppet Forge](http://img.shields.io/puppetforge/v/saz/ssh.svg)](https://forge.puppetlabs.com/saz/ssh) diff --git a/data/AIX.yaml b/data/AIX.yaml index 7ee10d47..0ad4feaf 100644 --- a/data/AIX.yaml +++ b/data/AIX.yaml @@ -2,6 +2,7 @@ ssh::server::sshd_dir: '/etc/ssh' ssh::server::sshd_binary: '/usr/sbin/sshd' ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::server::sshd_config_mode: '0644' ssh::server::ssh_config: '/etc/ssh/ssh_config' ssh::server::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' ssh::server::service_name: 'sshd' diff --git a/data/common.yaml b/data/common.yaml index 51bc808d..cf12c2cd 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -15,6 +15,7 @@ lookup_options: ssh::server::sshd_dir: '/etc/ssh' ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::server::sshd_config_mode: '0600' ssh::client::ssh_config: '/etc/ssh/ssh_config' ssh::server::service_name: 'svc:/network/ssh:default' ssh::sftp_server_path: 'internal-sftp' diff --git a/manifests/server.pp b/manifests/server.pp index 7e8fc9ba..f5ed7ae9 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -20,6 +20,9 @@ # @param sshd_binary # Path to the sshd binary # +# @param sshd_config_mode +# Mode to set on the sshd config file +# # @param host_priv_key_group # Name of the group for the private host key # @@ -61,6 +64,7 @@ Stdlib::Absolutepath $sshd_config, Stdlib::Absolutepath $sshd_dir, Stdlib::Absolutepath $sshd_binary, + Stdlib::Filemode $sshd_config_mode, Integer $host_priv_key_group, Hash $default_options, Enum[present,absent,latest] $ensure = present, diff --git a/manifests/server/config.pp b/manifests/server/config.pp index da12a7ee..b7d0e80a 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -28,7 +28,7 @@ ensure => present, owner => 0, group => 0, - mode => '0600', + mode => $ssh::server::sshd_config_mode, validate_cmd => $sshd_validate_cmd, notify => Service[$ssh::server::service_name], } @@ -45,7 +45,7 @@ ensure => file, owner => 0, group => 0, - mode => '0644', + mode => $ssh::server::sshd_config_mode, content => template("${module_name}/issue.net.erb"), notify => Service[$ssh::server::service_name], } From 3f6eff78b2b886ec552f1b1d31fe5082509c528c Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Thu, 23 May 2024 16:03:11 +0200 Subject: [PATCH 207/246] drop tag from concat_{file,fragment}, fixes #304 (#385) --- manifests/client/config/user.pp | 2 -- spec/defines/client/config/user_spec.rb | 4 ++-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/manifests/client/config/user.pp b/manifests/client/config/user.pp index a9425b05..e61c6469 100644 --- a/manifests/client/config/user.pp +++ b/manifests/client/config/user.pp @@ -74,11 +74,9 @@ ensure => $ensure, owner => $user, mode => $ssh_config_default_mode, - tag => $name, } } concat_fragment { $name: - tag => $name, content => template("${module_name}/ssh_config.erb"), target => $_target, } diff --git a/spec/defines/client/config/user_spec.rb b/spec/defines/client/config/user_spec.rb index b40b27d7..598f06a4 100644 --- a/spec/defines/client/config/user_spec.rb +++ b/spec/defines/client/config/user_spec.rb @@ -57,8 +57,8 @@ end it { - is_expected.to contain_concat_file(target).with(ensure: 'present', tag: title) - is_expected.to contain_concat_fragment(title).with(tag: title, target: target) + is_expected.to contain_concat_file(target).with(ensure: 'present') + is_expected.to contain_concat_fragment(title).with(target: target) } end # describe 'with a user provided target' From c2175e46a0cb23433ea971712872f2de87499a20 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Fri, 24 May 2024 10:03:46 +0200 Subject: [PATCH 208/246] fix subsystem option if use_augeas = true, fixes #376 (#386) --- manifests/server/config.pp | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/manifests/server/config.pp b/manifests/server/config.pp index b7d0e80a..4aa3c56f 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -19,8 +19,15 @@ if $ssh::server::use_augeas { $options.each |String $k, Hash $v| { - sshd_config { $k: - * => $v, + if $k.downcase == 'subsystem' { + $_v = $v.match(/(^(\w+)\s+(.*)$)/) + sshd_config_subsystem { $v[2]: + command => $v[3], + } + } else { + sshd_config { $k: + * => $v, + } } } } else { From b9a667586413907a39d1816c7c6b9d8ee2c260c1 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Fri, 24 May 2024 14:58:07 +0200 Subject: [PATCH 209/246] use `contain` instead of `include`, fixes #367 (#387) --- manifests/client.pp | 6 +++--- manifests/client/config/user.pp | 2 +- manifests/server.pp | 10 +++++----- manifests/server/config/setting.pp | 2 +- manifests/server/host_key.pp | 2 +- manifests/server/instances.pp | 2 +- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/manifests/client.pp b/manifests/client.pp index b0be0a43..dd450646 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -52,13 +52,13 @@ $merged_options = deep_merge($options, delete($default_options, keys($options))) } - include ssh::client::install - include ssh::client::config + contain ssh::client::install + contain ssh::client::config # Provide option to *not* use storeconfigs/puppetdb, which means not managing # hostkeys and knownhosts if ($storeconfigs_enabled) { - include ssh::knownhosts + contain ssh::knownhosts Class['ssh::client::install'] -> Class['ssh::client::config'] diff --git a/manifests/client/config/user.pp b/manifests/client/config/user.pp index e61c6469..753f0e40 100644 --- a/manifests/client/config/user.pp +++ b/manifests/client/config/user.pp @@ -40,7 +40,7 @@ String[1] $ssh_directory_default_mode = '0700', String[1] $ssh_config_default_mode = '0600', ) { - include ssh::client + contain ssh::client # If a specific target file was specified, # it must have higher priority than any diff --git a/manifests/server.pp b/manifests/server.pp index f5ed7ae9..086fcf09 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -84,15 +84,15 @@ $merged_options = deep_merge($default_options, $options) } - include ssh::server::install - include ssh::server::config - include ssh::server::service + contain ssh::server::install + contain ssh::server::config + contain ssh::server::service # Provide option to *not* use storeconfigs/puppetdb, which means not managing # hostkeys and knownhosts if ($storeconfigs_enabled) { - include ssh::hostkeys - include ssh::knownhosts + contain ssh::hostkeys + contain ssh::knownhosts Class['ssh::server::install'] -> Class['ssh::server::config'] diff --git a/manifests/server/config/setting.pp b/manifests/server/config/setting.pp index 7c114f3d..de9fe9f2 100644 --- a/manifests/server/config/setting.pp +++ b/manifests/server/config/setting.pp @@ -15,7 +15,7 @@ Variant[Boolean, Array, Hash, String] $value, Variant[String[1], Integer] $order = '10' ) { - include ssh::server + contain ssh::server $real_value = $value ? { Boolean => $value ? { diff --git a/manifests/server/host_key.pp b/manifests/server/host_key.pp index d0ceb7b2..ca3e1057 100644 --- a/manifests/server/host_key.pp +++ b/manifests/server/host_key.pp @@ -45,7 +45,7 @@ Optional[String[1]] $certificate_content = undef, ) { # Ensure the ssh::server class is included in the manifest - include ssh::server + contain ssh::server if $ensure == 'present' { if ! $public_key_source and ! $public_key_content { diff --git a/manifests/server/instances.pp b/manifests/server/instances.pp index 901f5449..049dcd28 100644 --- a/manifests/server/instances.pp +++ b/manifests/server/instances.pp @@ -35,7 +35,7 @@ Stdlib::Absolutepath $sshd_binary = $ssh::server::sshd_binary, Optional[Stdlib::Absolutepath] $sshd_environments_file = $ssh::server::sshd_environments_file, ) { - include ssh::server + contain ssh::server $sshd_instance_config = assert_type(Hash, pick($options['sshd_config'], {})) $sshd_instance_matchblocks = assert_type(Hash, pick($options['match_blocks'], {})) From b6a02043b22e519cc5d3579303625f958eef8f0f Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Sat, 25 May 2024 11:18:21 +0200 Subject: [PATCH 210/246] release: v12.1.0 (#388) --- CHANGELOG.md | 11 +++++++++++ metadata.json | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0471cfc3..1f494d20 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [12.1.0] +### Added +- allow puppet/systemd < 8, fixes #382 +### Changed +- set sshd config mode to 0644 on AIX, fixes #371 (#383) +- use `contain` instead of `include`, fixes #367 (#387) +### Fixed +- fix tests on OpenBSD (#384) +- drop tag from concat_{file,fragment}, fixes #304 (#385) +- fix subsystem option if use_augeas = true, fixes #376 (#386) + ## [12.0.1] ### Fixed - make ssh::hostkeys::exclude_interfaces_re parameter work properly (#380) diff --git a/metadata.json b/metadata.json index 9a306fea..d980c627 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "12.0.1", + "version": "12.1.0", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "license": "Apache-2.0", From 648d79e71bfa0260bc3430527e13d7690abeee86 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Wed, 9 Oct 2024 17:06:49 +0200 Subject: [PATCH 211/246] Update to module template files (#394) * Update from modulesync_config * drop some EOL operating system releases, allow puppet/systemd < 8.0.0 --- .rspec => .github/labeler.yml | 5 +++-- .github/release.yml | 42 +++++++++++++++++++++++++++++++++++ .github/workflows/ci.yml | 12 ++++++---- .github/workflows/labeler.yml | 18 +++++++++++++++ .github/workflows/release.yml | 10 ++++++++- .gitignore | 2 ++ .msync.yml | 2 +- .overcommit.yml | 8 ++++--- .pmtignore | 1 + .puppet-lint.rc | 3 +++ .rspec_parallel | 4 ---- Dockerfile | 24 -------------------- Gemfile | 6 ++--- metadata.json | 6 ----- spec/spec.opts | 6 ----- spec/spec_helper.rb | 4 ++++ 16 files changed, 99 insertions(+), 54 deletions(-) rename .rspec => .github/labeler.yml (63%) create mode 100644 .github/release.yml create mode 100644 .github/workflows/labeler.yml delete mode 100644 .rspec_parallel delete mode 100644 Dockerfile delete mode 100644 spec/spec.opts diff --git a/.rspec b/.github/labeler.yml similarity index 63% rename from .rspec rename to .github/labeler.yml index f634583d..f2d08d6b 100644 --- a/.rspec +++ b/.github/labeler.yml @@ -1,5 +1,6 @@ +--- # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ ---format documentation ---color +skip-changelog: + - head-branch: ['^release-*', 'release'] diff --git a/.github/release.yml b/.github/release.yml new file mode 100644 index 00000000..f5b5d7a9 --- /dev/null +++ b/.github/release.yml @@ -0,0 +1,42 @@ +--- +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +# https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes + +changelog: + exclude: + labels: + - duplicate + - invalid + - modulesync + - question + - skip-changelog + - wont-fix + - wontfix + + categories: + - title: Breaking Changes 🛠 + labels: + - backwards-incompatible + + - title: New Features 🎉 + labels: + - enhancement + + - title: Bug Fixes 🐛 + labels: + - bug + + - title: Documentation Updates 📚 + labels: + - documentation + - docs + + - title: Dependency Updates ⬆️ + labels: + - dependencies + + - title: Other Changes + labels: + - "*" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b66d8ca7..8c32acf9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,7 +4,13 @@ name: CI -on: pull_request +# yamllint disable-line rule:truthy +on: + pull_request: {} + push: + branches: + - main + - master concurrency: group: ${{ github.ref_name }} @@ -13,6 +19,4 @@ concurrency: jobs: puppet: name: Puppet - uses: voxpupuli/gha-puppet/.github/workflows/beaker.yml@v2 - with: - pidfile_workaround: 'false' + uses: voxpupuli/gha-puppet/.github/workflows/beaker.yml@v3 diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml new file mode 100644 index 00000000..73be88dc --- /dev/null +++ b/.github/workflows/labeler.yml @@ -0,0 +1,18 @@ +--- +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +name: "Pull Request Labeler" + +# yamllint disable-line rule:truthy +on: + pull_request_target: {} + +jobs: + labeler: + permissions: + contents: read + pull-requests: write + runs-on: ubuntu-latest + steps: + - uses: actions/labeler@v5 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index af643fa0..79fb09bf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,6 +4,7 @@ name: Release +# yamllint disable-line rule:truthy on: push: tags: @@ -12,7 +13,7 @@ on: jobs: release: name: Release - uses: voxpupuli/gha-puppet/.github/workflows/release.yml@v2 + uses: voxpupuli/gha-puppet/.github/workflows/release.yml@v3 with: allowed_owner: 'saz' secrets: @@ -20,3 +21,10 @@ jobs: # https://docs.github.com/en/actions/security-guides/encrypted-secrets username: ${{ secrets.PUPPET_FORGE_USERNAME }} api_key: ${{ secrets.PUPPET_FORGE_API_KEY }} + + create-github-release: + name: Create GitHub Release + runs-on: ubuntu-latest + steps: + - name: Create GitHub release + uses: voxpupuli/gha-create-a-github-release@v1 diff --git a/.gitignore b/.gitignore index 84fd904c..adea1b01 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,5 @@ .*.sw? /.yardoc/ /Guardfile +bolt-debug.log +.rerun.json diff --git a/.msync.yml b/.msync.yml index 76cd4646..ac84b45d 100644 --- a/.msync.yml +++ b/.msync.yml @@ -2,4 +2,4 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -modulesync_config_version: '7.1.0' +modulesync_config_version: '9.3.0' diff --git a/.overcommit.yml b/.overcommit.yml index d367adae..4ed994cc 100644 --- a/.overcommit.yml +++ b/.overcommit.yml @@ -43,10 +43,12 @@ PreCommit: enabled: true description: 'Runs rubocop on modified files only' command: ['bundle', 'exec', 'rubocop'] - PuppetLint: + RakeTarget: enabled: true - description: 'Runs puppet-lint on modified files only' - command: ['bundle', 'exec', 'puppet-lint'] + description: 'Runs lint on modified files only' + targets: + - 'lint' + command: ['bundle', 'exec', 'rake'] YamlSyntax: enabled: true JsonSyntax: diff --git a/.pmtignore b/.pmtignore index 10b98306..a9d37aa0 100644 --- a/.pmtignore +++ b/.pmtignore @@ -20,6 +20,7 @@ /.github/ /.librarian/ /Puppetfile.lock +/Puppetfile *.iml /.editorconfig /.fixtures.yml diff --git a/.puppet-lint.rc b/.puppet-lint.rc index dd8272c7..05d28a26 100644 --- a/.puppet-lint.rc +++ b/.puppet-lint.rc @@ -1,3 +1,6 @@ +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + --fail-on-warnings --no-parameter_documentation-check --no-parameter_types-check diff --git a/.rspec_parallel b/.rspec_parallel deleted file mode 100644 index a9a84f85..00000000 --- a/.rspec_parallel +++ /dev/null @@ -1,4 +0,0 @@ -# Managed by modulesync - DO NOT EDIT -# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ - ---format progress diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 8dd82d63..00000000 --- a/Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -# MANAGED BY MODULESYNC -# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ - -FROM ruby:2.7 - -WORKDIR /opt/puppet - -# https://github.com/puppetlabs/puppet/blob/06ad255754a38f22fb3a22c7c4f1e2ce453d01cb/lib/puppet/provider/service/runit.rb#L39 -RUN mkdir -p /etc/sv - -ARG PUPPET_GEM_VERSION="~> 6.0" -ARG PARALLEL_TEST_PROCESSORS=4 - -# Cache gems -COPY Gemfile . -RUN bundle install --without system_tests development release --path=${BUNDLE_PATH:-vendor/bundle} - -COPY . . - -RUN bundle install -RUN bundle exec rake release_checks - -# Container should not saved -RUN exit 1 diff --git a/Gemfile b/Gemfile index a4a3b204..2ac98f89 100644 --- a/Gemfile +++ b/Gemfile @@ -4,10 +4,10 @@ source ENV['GEM_SOURCE'] || 'https://rubygems.org' group :test do - gem 'voxpupuli-test', '~> 7.0', :require => false + gem 'voxpupuli-test', '~> 9.0', :require => false gem 'coveralls', :require => false gem 'simplecov-console', :require => false - gem 'puppet_metadata', '~> 3.5', :require => false + gem 'puppet_metadata', '~> 4.0', :require => false end group :development do @@ -26,7 +26,7 @@ end gem 'rake', :require => false gem 'facter', ENV['FACTER_GEM_VERSION'], :require => false, :groups => [:test] -puppetversion = ENV['PUPPET_GEM_VERSION'] || '~> 7.24' +puppetversion = ENV['PUPPET_GEM_VERSION'] || [">= 7.24", "< 9"] gem 'puppet', puppetversion, :require => false, :groups => [:test] # vim: syntax=ruby diff --git a/metadata.json b/metadata.json index d980c627..f95c111e 100644 --- a/metadata.json +++ b/metadata.json @@ -24,7 +24,6 @@ { "operatingsystem": "RedHat", "operatingsystemrelease": [ - "7", "8", "9" ] @@ -32,15 +31,12 @@ { "operatingsystem": "CentOS", "operatingsystemrelease": [ - "7", - "8", "9" ] }, { "operatingsystem": "OracleLinux", "operatingsystemrelease": [ - "7", "8", "9" ] @@ -56,7 +52,6 @@ { "operatingsystem": "Debian", "operatingsystemrelease": [ - "10", "11", "12" ] @@ -85,7 +80,6 @@ { "operatingsystem": "FreeBSD", "operatingsystemrelease": [ - "12", "13" ] }, diff --git a/spec/spec.opts b/spec/spec.opts deleted file mode 100644 index 91cd6427..00000000 --- a/spec/spec.opts +++ /dev/null @@ -1,6 +0,0 @@ ---format -s ---colour ---loadby -mtime ---backtrace diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 9efb4ae6..58c9b66a 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -9,6 +9,10 @@ require 'voxpupuli/test/spec_helper' +RSpec.configure do |c| + c.facterdb_string_keys = false +end + add_mocked_facts! if File.exist?(File.join(__dir__, 'default_module_facts.yml')) From c083f64169f5c1a4669a17d960264803970ed125 Mon Sep 17 00:00:00 2001 From: Christoph Maser Date: Wed, 9 Oct 2024 17:07:28 +0200 Subject: [PATCH 212/246] add REFERENCE.md (#392) --- REFERENCE.md | 1377 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1377 insertions(+) create mode 100644 REFERENCE.md diff --git a/REFERENCE.md b/REFERENCE.md new file mode 100644 index 00000000..4578f022 --- /dev/null +++ b/REFERENCE.md @@ -0,0 +1,1377 @@ +# Reference + + + +## Table of Contents + +### Classes + +#### Public Classes + +* [`ssh`](#ssh): This class manages ssh client and server +* [`ssh::client`](#ssh--client): This class add ssh client management +* [`ssh::hostkeys`](#ssh--hostkeys): This class manages hostkeys +* [`ssh::knownhosts`](#ssh--knownhosts): This class manages knownhosts if collection is enabled. +* [`ssh::server`](#ssh--server): This class managed ssh server + +#### Private Classes + +* `ssh::client::config`: Manages ssh configuration +* `ssh::client::install`: Install ssh client package +* `ssh::server::config`: Managed ssh server configuration +* `ssh::server::install`: Install ssh server package +* `ssh::server::service`: This class managed ssh server service + +### Defined types + +* [`ssh::client::config::user`](#ssh--client--config--user): This defined type manages a users ssh config +* [`ssh::client::match_block`](#ssh--client--match_block): Add match_block to ssh client config (concat needed) +* [`ssh::server::config::setting`](#ssh--server--config--setting): Internal define to managed ssh server param +* [`ssh::server::host_key`](#ssh--server--host_key): Manage a ssh host key + +This module install a ssh host key in the server (basically, it is +a file resource but it also notifies to the ssh service) + +Important! This define does not modify any option in sshd_config, so +you have to manually define the HostKey option in the server options +if you haven't done yet. +* [`ssh::server::instances`](#ssh--server--instances): Configure separate ssh server instances +* [`ssh::server::match_block`](#ssh--server--match_block): Add match_block to ssh server config +* [`ssh::server::options`](#ssh--server--options): This defined type manages ssh server options + +### Functions + +#### Public Functions + +* [`sshclient_options_to_augeas_ssh_config`](#sshclient_options_to_augeas_ssh_config): This function will convert a key-value hash to a format understandable by the augeas sshd_config provider It will also optionally deal with k +* [`sshserver_options_to_augeas_sshd_config`](#sshserver_options_to_augeas_sshd_config): This function will convert a key-value hash to a format understandable by the augeas sshd_config provider It will also optionally deal with k + +#### Private Functions + +* `ssh::ipaddresses`: Returns ip addresses of network interfaces (except lo) found by facter. + +### Data types + +* [`Ssh::ClientMatch`](#Ssh--ClientMatch): OpenSSH client `Match` criteria. See `ssh_config(5)` + +## Classes + +### `ssh` + +} + +#### Examples + +##### Puppet usage + +```puppet +class { 'ssh': + storeconfigs_enabled => false, + server_options => { + 'Match User www-data' => { + 'ChrootDirectory' => '%h', + 'ForceCommand' => 'internal-sftp', + 'PasswordAuthentication' => 'yes', + 'AllowTcpForwarding' => 'no', + 'X11Forwarding' => 'no', + }, + 'Port' => [22, 2222, 2288], + }, + client_options => { + 'Host *.amazonaws.com' => { + 'User' => 'ec2-user', + }, + }, + users_client_options => { + 'bob' => { + options => { + 'Host *.alice.fr' => { + 'User' => 'alice', + }, + }, + }, + }, + 'server_instances' => { + 'sftp_server_init' => { + 'ensure' => 'present', + 'options' => { + 'sshd_config' => { + 'Port' => 8022, + 'Protocol' => 2, + 'AddressFamily' => 'any', + 'HostKey' => '/etc/ssh/ssh_host_rsa_key', + 'SyslogFacility' => 'AUTH', + 'LogLevel' => 'INFO', + 'PermitRootLogin' => 'no', + }, + 'sshd_service_options' => '', + 'match_blocks' => { + '*,!ssh_exempt_ldap_authkey,!sshlokey' => { + 'type' => 'group', + 'options' => { + 'AuthorizedKeysCommand' => '/usr/local/bin/getauthkey', + 'AuthorizedKeysCommandUser' => 'nobody', + 'AuthorizedKeysFile' => '/dev/null', + }, + }, + }, + }, + }, + }, +``` + +##### hiera usage + +```puppet +ssh::storeconfigs_enabled: true + +ssh::server_options: + Protocol: '2' + ListenAddress: + - '127.0.0.0' + - '%{::hostname}' + PasswordAuthentication: 'yes' + SyslogFacility: 'AUTHPRIV' + UsePAM: 'yes' + X11Forwarding: 'yes' + +ssh::server::match_block: + filetransfer: + type: group + options: + ChrootDirectory: /home/sftp + ForceCommand: internal-sftp + +ssh::client_options: + 'Host *': + SendEnv: 'LANG LC_*' + ForwardX11Trusted: 'yes' + ServerAliveInterval: '10' + +ssh::users_client_options: + 'bob': + 'options': + 'Host *.alice.fr': + 'User': 'alice' + 'PasswordAuthentication': 'no' + ssh::server::server_instances: + sftp_server_init: + ensure: present + options: + sshd_config: + Port: 8022 + Protocol: 2 + AddressFamily: 'any' + HostKey: '/etc/ssh/ssh_host_rsa_key' + SyslogFacility: 'AUTH' + LogLevel: INFO + PermitRootLogin: 'no' + sshd_service_options: '' + match_blocks: + '*,!ssh_exempt_ldap_authkey,!sshlokey': + type: group + options: + AuthorizedKeysCommand: '/usr/local/bin/getauthkey' + AuthorizedKeysCommandUser: 'nobody' + AuthorizedKeysFile: '/dev/null' +``` + +#### Parameters + +The following parameters are available in the `ssh` class: + +* [`server_options`](#-ssh--server_options) +* [`server_match_block`](#-ssh--server_match_block) +* [`client_options`](#-ssh--client_options) +* [`client_match_block`](#-ssh--client_match_block) +* [`users_client_options`](#-ssh--users_client_options) +* [`version`](#-ssh--version) +* [`storeconfigs_enabled`](#-ssh--storeconfigs_enabled) +* [`validate_sshd_file`](#-ssh--validate_sshd_file) +* [`use_augeas`](#-ssh--use_augeas) +* [`server_options_absent`](#-ssh--server_options_absent) +* [`client_options_absent`](#-ssh--client_options_absent) +* [`use_issue_net`](#-ssh--use_issue_net) +* [`purge_unmanaged_sshkeys`](#-ssh--purge_unmanaged_sshkeys) +* [`server_instances`](#-ssh--server_instances) + +##### `server_options` + +Data type: `Optional[Hash]` + +Add dynamic options for ssh server config + +Default value: `undef` + +##### `server_match_block` + +Data type: `Hash` + +Add match block for ssh server config + +Default value: `{}` + +##### `client_options` + +Data type: `Optional[Hash]` + +Add dynamic options for ssh client config + +Default value: `undef` + +##### `client_match_block` + +Data type: `Hash` + +Add match block for ssh client config + +Default value: `{}` + +##### `users_client_options` + +Data type: `Hash` + +Add users options for ssh client config + +Default value: `{}` + +##### `version` + +Data type: `String` + +Define package version (package ressource) + +Default value: `'present'` + +##### `storeconfigs_enabled` + +Data type: `Boolean` + +Default value for storeconfigs_enabled (client and server) + +Default value: `true` + +##### `validate_sshd_file` + +Data type: `Boolean` + +Default value for validate_sshd_file (server) + +Default value: `false` + +##### `use_augeas` + +Data type: `Boolean` + +Default value to use augeas (client and server) + +Default value: `false` + +##### `server_options_absent` + +Data type: `Array` + +List of options to remove for server config (augeas only) + +Default value: `[]` + +##### `client_options_absent` + +Data type: `Array` + +List of options to remove for client config (augeas only) + +Default value: `[]` + +##### `use_issue_net` + +Data type: `Boolean` + +Use issue_net header + +Default value: `false` + +##### `purge_unmanaged_sshkeys` + +Data type: `Boolean` + +Purge unmanaged sshkeys + +Default value: `true` + +##### `server_instances` + +Data type: `Hash[String[1],Hash[String[1],NotUndef]]` + +Configure SSH instances + +Default value: `{}` + +### `ssh::client` + +This class add ssh client management + +#### Examples + +##### Puppet usage + +```puppet +class { 'ssh::client': + ensure => present, + storeconfigs_enabled => true, + use_augeas => false, +} +``` + +#### Parameters + +The following parameters are available in the `ssh::client` class: + +* [`ssh_config`](#-ssh--client--ssh_config) +* [`client_package_name`](#-ssh--client--client_package_name) +* [`ensure`](#-ssh--client--ensure) +* [`storeconfigs_enabled`](#-ssh--client--storeconfigs_enabled) +* [`options`](#-ssh--client--options) +* [`use_augeas`](#-ssh--client--use_augeas) +* [`options_absent`](#-ssh--client--options_absent) +* [`default_options`](#-ssh--client--default_options) +* [`match_block`](#-ssh--client--match_block) + +##### `ssh_config` + +Data type: `Stdlib::Absolutepath` + +Path to ssh client config file + +##### `client_package_name` + +Data type: `Optional[String[1]]` + +Name of the client package + +Default value: `undef` + +##### `ensure` + +Data type: `String` + +Ensurable param to ssh client + +Default value: `present` + +##### `storeconfigs_enabled` + +Data type: `Boolean` + +Collected host keys from servers will be written to known_hosts unless storeconfigs_enabled is false + +Default value: `true` + +##### `options` + +Data type: `Hash` + +SSH client options, will be deep_merged with default_options. This parameter takes precedence over default_options + +Default value: `{}` + +##### `use_augeas` + +Data type: `Boolean` + +Use augeas to configure ssh client + +Default value: `false` + +##### `options_absent` + +Data type: `Array` + +Remove options (with augeas style) + +Default value: `[]` + +##### `default_options` + +Data type: `Hash` + +Default options to set, will be merged with options parameter + +##### `match_block` + +Data type: `Hash` + +Add ssh match_block (with concat) + +Default value: `{}` + +### `ssh::hostkeys` + +This class manages hostkeys + +#### Parameters + +The following parameters are available in the `ssh::hostkeys` class: + +* [`export_ipaddresses`](#-ssh--hostkeys--export_ipaddresses) +* [`storeconfigs_group`](#-ssh--hostkeys--storeconfigs_group) +* [`extra_aliases`](#-ssh--hostkeys--extra_aliases) +* [`exclude_interfaces`](#-ssh--hostkeys--exclude_interfaces) +* [`exclude_interfaces_re`](#-ssh--hostkeys--exclude_interfaces_re) +* [`exclude_ipaddresses`](#-ssh--hostkeys--exclude_ipaddresses) +* [`use_trusted_facts`](#-ssh--hostkeys--use_trusted_facts) +* [`tags`](#-ssh--hostkeys--tags) + +##### `export_ipaddresses` + +Data type: `Boolean` + +Whether ip addresses should be added as aliases + +Default value: `true` + +##### `storeconfigs_group` + +Data type: `Optional[String[1]]` + +Tag hostkeys with this group to allow segregation + +Default value: `undef` + +##### `extra_aliases` + +Data type: `Array` + +Additional aliases to set for host keys + +Default value: `[]` + +##### `exclude_interfaces` + +Data type: `Array` + +List of interfaces to exclude + +Default value: `[]` + +##### `exclude_interfaces_re` + +Data type: `Array` + +List of regular expressions to exclude interfaces + +Default value: `[]` + +##### `exclude_ipaddresses` + +Data type: `Array` + +List of ip addresses to exclude + +Default value: `[]` + +##### `use_trusted_facts` + +Data type: `Boolean` + +Whether to use trusted or normal facts + +Default value: `false` + +##### `tags` + +Data type: `Optional[Array[String[1]]]` + +Array of custom tags + +Default value: `undef` + +### `ssh::knownhosts` + +This class manages knownhosts if collection is enabled. + +#### Parameters + +The following parameters are available in the `ssh::knownhosts` class: + +* [`collect_enabled`](#-ssh--knownhosts--collect_enabled) +* [`storeconfigs_group`](#-ssh--knownhosts--storeconfigs_group) + +##### `collect_enabled` + +Data type: `Boolean` + +Enable collection + +Default value: `$ssh::knownhosts::collect_enabled` + +##### `storeconfigs_group` + +Data type: `Optional[String[1]]` + +Define the hostkeys group storage + +Default value: `undef` + +### `ssh::server` + +This class managed ssh server + +#### Examples + +##### Puppet usage + +```puppet +class { 'ssh::server': + ensure => present, + storeconfigs_enabled => true, + use_issue_net => false, +} +``` + +#### Parameters + +The following parameters are available in the `ssh::server` class: + +* [`service_name`](#-ssh--server--service_name) +* [`sshd_config`](#-ssh--server--sshd_config) +* [`sshd_dir`](#-ssh--server--sshd_dir) +* [`sshd_binary`](#-ssh--server--sshd_binary) +* [`sshd_config_mode`](#-ssh--server--sshd_config_mode) +* [`host_priv_key_group`](#-ssh--server--host_priv_key_group) +* [`default_options`](#-ssh--server--default_options) +* [`ensure`](#-ssh--server--ensure) +* [`storeconfigs_enabled`](#-ssh--server--storeconfigs_enabled) +* [`options`](#-ssh--server--options) +* [`validate_sshd_file`](#-ssh--server--validate_sshd_file) +* [`use_augeas`](#-ssh--server--use_augeas) +* [`options_absent`](#-ssh--server--options_absent) +* [`match_block`](#-ssh--server--match_block) +* [`use_issue_net`](#-ssh--server--use_issue_net) +* [`sshd_environments_file`](#-ssh--server--sshd_environments_file) +* [`server_package_name`](#-ssh--server--server_package_name) + +##### `service_name` + +Data type: `String[1]` + +Name of the sshd service + +##### `sshd_config` + +Data type: `Stdlib::Absolutepath` + +Path to the sshd_config file + +##### `sshd_dir` + +Data type: `Stdlib::Absolutepath` + +Path to the sshd dir (e.g. /etc/ssh) + +##### `sshd_binary` + +Data type: `Stdlib::Absolutepath` + +Path to the sshd binary + +##### `sshd_config_mode` + +Data type: `Stdlib::Filemode` + +Mode to set on the sshd config file + +##### `host_priv_key_group` + +Data type: `Integer` + +Name of the group for the private host key + +##### `default_options` + +Data type: `Hash` + +Default options to set, will be merged with options parameter + +##### `ensure` + +Data type: `Enum[present,absent,latest]` + +Ensurable param to ssh server + +Default value: `present` + +##### `storeconfigs_enabled` + +Data type: `Boolean` + +Host keys will be collected and distributed unless storeconfigs_enabled is false. + +Default value: `true` + +##### `options` + +Data type: `Hash` + +Dynamic hash for openssh server option + +Default value: `{}` + +##### `validate_sshd_file` + +Data type: `Boolean` + +Add sshd file validate cmd + +Default value: `false` + +##### `use_augeas` + +Data type: `Boolean` + +Use augeas for configuration (default concat) + +Default value: `false` + +##### `options_absent` + +Data type: `Array` + +Remove options (with augeas style) + +Default value: `[]` + +##### `match_block` + +Data type: `Hash` + +Add sshd match_block (with concat) + +Default value: `{}` + +##### `use_issue_net` + +Data type: `Boolean` + +Add issue_net banner + +Default value: `false` + +##### `sshd_environments_file` + +Data type: `Optional[Stdlib::Absolutepath]` + +Path to a sshd environments file (e.g. /etc/defaults/ssh on Debian) + +Default value: `undef` + +##### `server_package_name` + +Data type: `Optional[String[1]]` + +Name of the server package to install + +Default value: `undef` + +## Defined types + +### `ssh::client::config::user` + +Copyright (c) IN2P3 Computing Centre, IN2P3, CNRS +Contributor: Remi Ferrand (2015) +Contributor: Tim Meusel (2017) + +#### Parameters + +The following parameters are available in the `ssh::client::config::user` defined type: + +* [`ensure`](#-ssh--client--config--user--ensure) +* [`target`](#-ssh--client--config--user--target) +* [`user_home_dir`](#-ssh--client--config--user--user_home_dir) +* [`manage_user_ssh_dir`](#-ssh--client--config--user--manage_user_ssh_dir) +* [`options`](#-ssh--client--config--user--options) +* [`user`](#-ssh--client--config--user--user) +* [`ssh_directory_default_mode`](#-ssh--client--config--user--ssh_directory_default_mode) +* [`ssh_config_default_mode`](#-ssh--client--config--user--ssh_config_default_mode) + +##### `ensure` + +Data type: `Enum['present', 'absent']` + +Specifies whether the config file should be present or absent + +Default value: `present` + +##### `target` + +Data type: `Optional[Stdlib::Absolutepath]` + +Sets the config file location, defaults to `~/.ssh/config` if $target and $user_home_dir are not set + +Default value: `undef` + +##### `user_home_dir` + +Data type: `Optional[Stdlib::Absolutepath]` + +Sets the location of users home dir, defaults to `/home/$user` + +Default value: `undef` + +##### `manage_user_ssh_dir` + +Data type: `Boolean` + +Whether the users ssh dir should be managed or not + +Default value: `true` + +##### `options` + +Data type: `Hash` + +Options which should be set + +Default value: `{}` + +##### `user` + +Data type: `String[1]` + +The name of the user the config should be managed for + +Default value: `$name` + +##### `ssh_directory_default_mode` + +Data type: `String[1]` + +Default mode for the users ssh dir + +Default value: `'0700'` + +##### `ssh_config_default_mode` + +Data type: `String[1]` + +Default mode for the ssh config file + +Default value: `'0600'` + +### `ssh::client::match_block` + +Add match_block to ssh client config (concat needed) + +#### Parameters + +The following parameters are available in the `ssh::client::match_block` defined type: + +* [`options`](#-ssh--client--match_block--options) +* [`type`](#-ssh--client--match_block--type) +* [`order`](#-ssh--client--match_block--order) +* [`target`](#-ssh--client--match_block--target) + +##### `options` + +Data type: `Hash` + +Options which should be set + +Default value: `{}` + +##### `type` + +Data type: `Ssh::ClientMatch` + +Type of match_block, e.g. user, group, host, ... + +Default value: `'user'` + +##### `order` + +Data type: `Integer` + +Orders your settings within the config file + +Default value: `50` + +##### `target` + +Data type: `Stdlib::Absolutepath` + +Sets the target file of the concat fragment + +Default value: `$ssh::client::ssh_config` + +### `ssh::server::config::setting` + +Internal define to managed ssh server param + +#### Parameters + +The following parameters are available in the `ssh::server::config::setting` defined type: + +* [`key`](#-ssh--server--config--setting--key) +* [`value`](#-ssh--server--config--setting--value) +* [`order`](#-ssh--server--config--setting--order) + +##### `key` + +Data type: `String[1]` + +Key of the value which should be set + +##### `value` + +Data type: `Variant[Boolean, Array, Hash, String]` + +Value which should be set + +##### `order` + +Data type: `Variant[String[1], Integer]` + +Orders your setting within the config file + +Default value: `'10'` + +### `ssh::server::host_key` + +Manage a ssh host key + +This module install a ssh host key in the server (basically, it is +a file resource but it also notifies to the ssh service) + +Important! This define does not modify any option in sshd_config, so +you have to manually define the HostKey option in the server options +if you haven't done yet. + +#### Parameters + +The following parameters are available in the `ssh::server::host_key` defined type: + +* [`ensure`](#-ssh--server--host_key--ensure) +* [`public_key_source`](#-ssh--server--host_key--public_key_source) +* [`public_key_content`](#-ssh--server--host_key--public_key_content) +* [`private_key_source`](#-ssh--server--host_key--private_key_source) +* [`private_key_content`](#-ssh--server--host_key--private_key_content) +* [`certificate_source`](#-ssh--server--host_key--certificate_source) +* [`certificate_content`](#-ssh--server--host_key--certificate_content) + +##### `ensure` + +Data type: `Enum[present, absent]` + +Set to 'absent' to remove host_key files + +Default value: `'present'` + +##### `public_key_source` + +Data type: `Optional[String[1]]` + +Sets the content of the source parameter for the public key file +Note public_key_source and public_key_content are mutually exclusive. + +Default value: `undef` + +##### `public_key_content` + +Data type: `Optional[String[1]]` + +Sets the content for the public key file. +Note public_key_source and public_key_content are mutually exclusive. + +Default value: `undef` + +##### `private_key_source` + +Data type: `Optional[String[1]]` + +Sets the content of the source parameter for the private key file +Note private_key_source and private_key_content are mutually exclusive. + +Default value: `undef` + +##### `private_key_content` + +Data type: `Optional[String[1]]` + +Sets the content for the private key file. +Note private_key_source and private_key_content are mutually exclusive. + +Default value: `undef` + +##### `certificate_source` + +Data type: `Optional[String[1]]` + +Sets the content of the source parameter for the host key certificate. +Note certificate_source and certificate_content are mutually exclusive. + +Default value: `undef` + +##### `certificate_content` + +Data type: `Optional[String[1]]` + +Sets the content for the host key certificate. +Note certificate_source and certificate_content are mutually exclusive. + +Default value: `undef` + +### `ssh::server::instances` + +Configure separate ssh server instances + +#### Parameters + +The following parameters are available in the `ssh::server::instances` defined type: + +* [`ensure`](#-ssh--server--instances--ensure) +* [`options`](#-ssh--server--instances--options) +* [`service_ensure`](#-ssh--server--instances--service_ensure) +* [`service_enable`](#-ssh--server--instances--service_enable) +* [`validate_config_file`](#-ssh--server--instances--validate_config_file) +* [`sshd_instance_config_file`](#-ssh--server--instances--sshd_instance_config_file) +* [`sshd_binary`](#-ssh--server--instances--sshd_binary) +* [`sshd_environments_file`](#-ssh--server--instances--sshd_environments_file) + +##### `ensure` + +Data type: `Enum[present, absent]` + +Specifies whether the instance should be added or removed + +Default value: `present` + +##### `options` + +Data type: `Hash` + +Set options for the instance + +Default value: `{}` + +##### `service_ensure` + +Data type: `Stdlib::Ensure::Service` + +Whether this instance service should be running or stopped, defaults to true when ensure is set to present, otherwise false + +Default value: `$ensure ? { 'present' => 'running', 'absent' => 'stopped'` + +##### `service_enable` + +Data type: `Boolean` + +Whether this instance service should be started at boot. Will be added automatically if ensure is running/removed if ensure is stopped + +Default value: `($service_ensure == 'running'` + +##### `validate_config_file` + +Data type: `Boolean` + +Validate config file before applying + +Default value: `false` + +##### `sshd_instance_config_file` + +Data type: `Stdlib::Absolutepath` + +Path of the instance sshd config + +Default value: `"${ssh::server::sshd_dir}/sshd_config.${title}"` + +##### `sshd_binary` + +Data type: `Stdlib::Absolutepath` + +Path to sshd binary + +Default value: `$ssh::server::sshd_binary` + +##### `sshd_environments_file` + +Data type: `Optional[Stdlib::Absolutepath]` + +Path to environments file, if any + +Default value: `$ssh::server::sshd_environments_file` + +### `ssh::server::match_block` + +Add match_block to ssh server config + +#### Parameters + +The following parameters are available in the `ssh::server::match_block` defined type: + +* [`options`](#-ssh--server--match_block--options) +* [`type`](#-ssh--server--match_block--type) +* [`order`](#-ssh--server--match_block--order) +* [`target`](#-ssh--server--match_block--target) + +##### `options` + +Data type: `Hash` + +Options which should be set + +Default value: `{}` + +##### `type` + +Data type: `String[1]` + +Type of match_block, e.g. user, group, host, ... + +Default value: `'user'` + +##### `order` + +Data type: `Integer` + +Orders your settings within the config file + +Default value: `50` + +##### `target` + +Data type: `Stdlib::Absolutepath` + +Sets the target file of the concat fragment + +Default value: `$ssh::server::sshd_config` + +### `ssh::server::options` + +This defined type manages ssh server options + +#### Parameters + +The following parameters are available in the `ssh::server::options` defined type: + +* [`options`](#-ssh--server--options--options) +* [`order`](#-ssh--server--options--order) + +##### `options` + +Data type: `Hash` + +Options which should be set + +Default value: `{}` + +##### `order` + +Data type: `Integer` + +Orders your settings within the config file + +Default value: `50` + +## Functions + +### `sshclient_options_to_augeas_ssh_config` + +Type: Ruby 3.x API + +This function will convert a key-value hash to a format understandable by the augeas sshd_config provider +It will also optionally deal with keys that should be absent, and inject static parameters if supplied. + +Usage: sshclient_options_to_augeas_ssh_config($options_present, $options_absent, $other_parameters) +- $options_hash is mandatory and must be a hash. +- $options_absent is optional and can be either a single value or an array. +- $other_parameters is optional and must be a hash. + +Example: +$options = { + 'Host *.example.com' => { + 'ForwardAgent' => 'yes', + 'BatchMode' => 'yes', + }, + 'ForwardAgent' => 'no', + 'BatchMode' => 'no', + 'StrictHostKeyChecking' => 'no', + } +$options_absent = ['StrictHostKeyChecking','NoneField'] +$other_parameters = { 'target' => '/etc/ssh/ssh_config' } + +$options_final_augeas = sshclient_options_to_augeas_ssh_config($options, $options_absent, $other_parameters) + +In this case, the value of $options_final_augeas would be: + +'ForwardAgent *.example.com' => { + 'ensure' => 'present', + 'host' => '*.example.com', + 'key' => 'ForwardAgent', + 'value' => 'yes', + 'target' => '/etc/ssh/ssh_config', + } +'BatchMode *.example.com' => { + 'ensure' => 'present', + 'host' => '*.example.com', + 'key' => 'BatchMode', + 'value' => 'yes', + 'target' => '/etc/ssh/ssh_config', + } +'ForwardAgent' => { + 'ensure' => 'present', + 'key' => 'ForwardAgent', + 'value' => 'yes', + 'target' => '/etc/ssh/ssh_config', + } +'BatchMode' => { + 'ensure' => 'present', + 'key' => 'BatchMode', + 'value' => 'yes', + 'target' => '/etc/ssh/ssh_config', + } +'StrictHostKeyChecking' => { + 'ensure' => 'absent', + 'key' => 'StrictHostKeyChecking', + 'target' => '/etc/ssh/ssh_config', + } + 'NoneField' => { + 'ensure' => 'absent', + 'key' => 'NoneField', + 'target' => '/etc/ssh/ssh_config', + } + +Note how the word "Host" is stripped a + +#### `sshclient_options_to_augeas_ssh_config()` + +This function will convert a key-value hash to a format understandable by the augeas sshd_config provider +It will also optionally deal with keys that should be absent, and inject static parameters if supplied. + +Usage: sshclient_options_to_augeas_ssh_config($options_present, $options_absent, $other_parameters) +- $options_hash is mandatory and must be a hash. +- $options_absent is optional and can be either a single value or an array. +- $other_parameters is optional and must be a hash. + +Example: +$options = { + 'Host *.example.com' => { + 'ForwardAgent' => 'yes', + 'BatchMode' => 'yes', + }, + 'ForwardAgent' => 'no', + 'BatchMode' => 'no', + 'StrictHostKeyChecking' => 'no', + } +$options_absent = ['StrictHostKeyChecking','NoneField'] +$other_parameters = { 'target' => '/etc/ssh/ssh_config' } + +$options_final_augeas = sshclient_options_to_augeas_ssh_config($options, $options_absent, $other_parameters) + +In this case, the value of $options_final_augeas would be: + +'ForwardAgent *.example.com' => { + 'ensure' => 'present', + 'host' => '*.example.com', + 'key' => 'ForwardAgent', + 'value' => 'yes', + 'target' => '/etc/ssh/ssh_config', + } +'BatchMode *.example.com' => { + 'ensure' => 'present', + 'host' => '*.example.com', + 'key' => 'BatchMode', + 'value' => 'yes', + 'target' => '/etc/ssh/ssh_config', + } +'ForwardAgent' => { + 'ensure' => 'present', + 'key' => 'ForwardAgent', + 'value' => 'yes', + 'target' => '/etc/ssh/ssh_config', + } +'BatchMode' => { + 'ensure' => 'present', + 'key' => 'BatchMode', + 'value' => 'yes', + 'target' => '/etc/ssh/ssh_config', + } +'StrictHostKeyChecking' => { + 'ensure' => 'absent', + 'key' => 'StrictHostKeyChecking', + 'target' => '/etc/ssh/ssh_config', + } + 'NoneField' => { + 'ensure' => 'absent', + 'key' => 'NoneField', + 'target' => '/etc/ssh/ssh_config', + } + +Note how the word "Host" is stripped a + +Returns: `Any` + +### `sshserver_options_to_augeas_sshd_config` + +Type: Ruby 3.x API + +This function will convert a key-value hash to a format understandable by the augeas sshd_config provider +It will also optionally deal with keys that should be absent, and inject static parameters if supplied. + +Usage: sshserver_options_to_augeas_sshd_config($options_present, $options_absent, $other_parameters) +- $options_hash is mandatory and must be a hash. +- $options_absent is optional and can be either a single value or an array. +- $other_parameters is optional and must be a hash. + +Example: +$options = { + 'Match User www-data' => { + 'PasswordAuthentication' => 'yes', + 'X11Forwarding' => 'no', + }, + 'Match Group bamboo' => { + 'ForcedCommand' => '/bin/echo hello world', + }, + 'X11Forwarding' => 'yes', + 'DebianBanner' => '/etc/banner.net', + 'AllowGroups' => ["sshgroups", "admins"], + } +$options_absent = ['DebianBanner','NoneField'] +$other_parameters = { 'target' => '/etc/ssh/sshd_config' } + +$options_final_augeas = sshserver_options_to_augeas_sshd_config($options, $options_absent, $other_parameters) + +In this case, the value of $options_final_augeas would be: + +'PasswordAuthentication User www-data' => { + 'ensure' => 'present', + 'condition' => 'User www-data', + 'key' => 'PasswordAuthentication', + 'value' => 'yes', + 'target' => '/etc/ssh/sshd_config', + } + 'X11Forwarding User www-data' => { + 'ensure' => 'present', + 'condition' => 'User www-data', + 'key' => 'X11Forwarding', + 'value' => 'no', + 'target' => '/etc/ssh/sshd_config', + } + 'ForcedCommand Group bamboo' => { + 'ensure' => 'present', + 'condition' => 'Group bamboo', + 'key' => 'ForcedCommand', + 'value' => '/bin/echo hello world', + 'target' => '/etc/ssh/sshd_config', + } + 'X11Forwarding' => { + 'ensure' => 'present', + 'key' => 'X11Forwarding', + 'value' => 'yes', + 'target' => '/etc/ssh/sshd_config', + } + 'DebianBanner' => { + 'ensure' => 'absent', + 'key' => 'DebianBanner', + 'target' => '/etc/ssh/sshd_config', + } + 'AllowGroups' => { + 'ensure' => 'present', + 'key' => 'AllowGroups', + 'value' => ['sshgroups','admins'], + 'target' => '/etc/ssh/sshd_config', + } + 'NoneField' => { + 'ensure' => 'absent', + 'key' => 'NoneField', + 'target' => '/etc/ssh/sshd_config', + } + +Note how the word "Match" is stripped a + +#### `sshserver_options_to_augeas_sshd_config()` + +This function will convert a key-value hash to a format understandable by the augeas sshd_config provider +It will also optionally deal with keys that should be absent, and inject static parameters if supplied. + +Usage: sshserver_options_to_augeas_sshd_config($options_present, $options_absent, $other_parameters) +- $options_hash is mandatory and must be a hash. +- $options_absent is optional and can be either a single value or an array. +- $other_parameters is optional and must be a hash. + +Example: +$options = { + 'Match User www-data' => { + 'PasswordAuthentication' => 'yes', + 'X11Forwarding' => 'no', + }, + 'Match Group bamboo' => { + 'ForcedCommand' => '/bin/echo hello world', + }, + 'X11Forwarding' => 'yes', + 'DebianBanner' => '/etc/banner.net', + 'AllowGroups' => ["sshgroups", "admins"], + } +$options_absent = ['DebianBanner','NoneField'] +$other_parameters = { 'target' => '/etc/ssh/sshd_config' } + +$options_final_augeas = sshserver_options_to_augeas_sshd_config($options, $options_absent, $other_parameters) + +In this case, the value of $options_final_augeas would be: + +'PasswordAuthentication User www-data' => { + 'ensure' => 'present', + 'condition' => 'User www-data', + 'key' => 'PasswordAuthentication', + 'value' => 'yes', + 'target' => '/etc/ssh/sshd_config', + } + 'X11Forwarding User www-data' => { + 'ensure' => 'present', + 'condition' => 'User www-data', + 'key' => 'X11Forwarding', + 'value' => 'no', + 'target' => '/etc/ssh/sshd_config', + } + 'ForcedCommand Group bamboo' => { + 'ensure' => 'present', + 'condition' => 'Group bamboo', + 'key' => 'ForcedCommand', + 'value' => '/bin/echo hello world', + 'target' => '/etc/ssh/sshd_config', + } + 'X11Forwarding' => { + 'ensure' => 'present', + 'key' => 'X11Forwarding', + 'value' => 'yes', + 'target' => '/etc/ssh/sshd_config', + } + 'DebianBanner' => { + 'ensure' => 'absent', + 'key' => 'DebianBanner', + 'target' => '/etc/ssh/sshd_config', + } + 'AllowGroups' => { + 'ensure' => 'present', + 'key' => 'AllowGroups', + 'value' => ['sshgroups','admins'], + 'target' => '/etc/ssh/sshd_config', + } + 'NoneField' => { + 'ensure' => 'absent', + 'key' => 'NoneField', + 'target' => '/etc/ssh/sshd_config', + } + +Note how the word "Match" is stripped a + +Returns: `Any` + +## Data types + +### `Ssh::ClientMatch` + +OpenSSH client `Match` criteria. See `ssh_config(5)` + +Alias of `Enum['!all', 'all', '!canonical', 'canonical', '!exec', 'exec', '!final', 'final', '!host', 'host', '!localuser', 'localuser', '!originalhost', 'originalhost', '!user', 'user']` + From d835046170e67530812391ed78bd61ed7e322f35 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 14 Oct 2024 16:29:44 +0200 Subject: [PATCH 213/246] Set merge behavior of ssh::server_instances to deep (#395) Thanks @C24-AK Fixes #393 --- data/common.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/data/common.yaml b/data/common.yaml index cf12c2cd..2c9556a4 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -12,6 +12,8 @@ lookup_options: merge: deep ssh::client::options: merge: deep + ssh::server_instances: + merge: deep ssh::server::sshd_dir: '/etc/ssh' ssh::server::sshd_config: '/etc/ssh/sshd_config' From 698dd6769880dc50c2d19a5832cd9f1d568316f1 Mon Sep 17 00:00:00 2001 From: Neil Vergottini <28265335+nvergottini@users.noreply.github.com> Date: Mon, 14 Oct 2024 11:58:39 -0400 Subject: [PATCH 214/246] Add support for sshd_config include files (#390) Add include_dir parameter for specifying an include directory at the top of sshd_config. Add ssh::server::config_file resource type for creating config files within the include directory. Provides include parameter for including externally managed config files. This is primarily intended for including crypto policies in RedHat 9 family. Add data for RedHat 9 family to add include directory and config file to load crypto policies for OpenSSH server by default. --- data/RedHat-9.yaml | 5 ++++ hiera.yaml | 4 ++- manifests/server.pp | 16 ++++++++++++ manifests/server/config.pp | 18 +++++++++++++ manifests/server/config_file.pp | 46 +++++++++++++++++++++++++++++++++ templates/sshd_config.erb | 6 +++++ 6 files changed, 94 insertions(+), 1 deletion(-) create mode 100644 data/RedHat-9.yaml create mode 100644 manifests/server/config_file.pp diff --git a/data/RedHat-9.yaml b/data/RedHat-9.yaml new file mode 100644 index 00000000..8a6b09e5 --- /dev/null +++ b/data/RedHat-9.yaml @@ -0,0 +1,5 @@ +--- +ssh::server::include_dir: '/etc/ssh/sshd_config.d' +ssh::server::config_files: + 50-redhat: + include: '/etc/crypto-policies/back-ends/opensshserver.config' diff --git a/hiera.yaml b/hiera.yaml index bc6d659d..2a3dfb18 100644 --- a/hiera.yaml +++ b/hiera.yaml @@ -16,7 +16,9 @@ hierarchy: path: '%{facts.os.name}.yaml' - name: 'Major Version' - path: '%{facts.os.name}-%{facts.os.release.major}.yaml' + paths: + - '%{facts.os.name}-%{facts.os.release.major}.yaml' + - '%{facts.os.family}-%{facts.os.release.major}.yaml' - name: 'Major Version with architecture' path: '%{facts.os.name}-%{facts.os.release.major}-%{facts.os.architecture}.yaml' diff --git a/manifests/server.pp b/manifests/server.pp index 086fcf09..d598c1c1 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -32,6 +32,18 @@ # @param ensure # Ensurable param to ssh server # +# @param include_dir +# Path to sshd include directory. +# +# @param include_dir_mode +# Mode to set on the sshd include directory. +# +# @param include_dir_purge +# Purge the include directory if true. +# +# @param config_files +# Hash of config files to add to the ssh include directory. +# # @param storeconfigs_enabled # Host keys will be collected and distributed unless storeconfigs_enabled is false. # @@ -68,6 +80,10 @@ Integer $host_priv_key_group, Hash $default_options, Enum[present,absent,latest] $ensure = present, + Optional[Stdlib::Absolutepath] $include_dir = undef, + Stdlib::Filemode $include_dir_mode = '0700', + Boolean $include_dir_purge = true, + Hash[String, Hash] $config_files = {}, Boolean $storeconfigs_enabled = true, Hash $options = {}, Boolean $validate_sshd_file = false, diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 4aa3c56f..f7cef007 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -7,6 +7,7 @@ assert_private() $options = $ssh::server::merged_options + $include_dir = $ssh::server::include_dir case $ssh::server::validate_sshd_file { true: { @@ -47,6 +48,23 @@ } } + if $ssh::server::include_dir { + file { $ssh::server::include_dir: + ensure => directory, + owner => 0, + group => 0, + mode => $ssh::server::include_dir_mode, + purge => $ssh::server::include_dir_purge, + recurse => true, + } + + $ssh::server::config_files.each |$file, $params| { + ssh::server::config_file { $file: + * => $params, + } + } + } + if $ssh::server::use_issue_net { file { $ssh::server::issue_net: ensure => file, diff --git a/manifests/server/config_file.pp b/manifests/server/config_file.pp new file mode 100644 index 00000000..a9930240 --- /dev/null +++ b/manifests/server/config_file.pp @@ -0,0 +1,46 @@ +# @summary Resource type for managing a config file in the include dir. +# +# @param mode +# File mode for the config file. +# +# @param include +# Absolute path to config file to include at the top of the config file. This +# is intended for including files not managed by this module (crypto policies). +# +# @param options +# Dynamic hash for openssh server option +# +define ssh::server::config_file ( + Stdlib::Absolutepath $path = "${ssh::server::include_dir}/${name}.conf", + Stdlib::Filemode $mode = $ssh::server::sshd_config_mode, + Optional[Stdlib::Absolutepath] $include = undef, + Hash $options = {}, +) { + if !$ssh::server::include_dir { + fail('ssh::server::config_file() define not supported if ssh::server::include_dir not set') + } + + case $ssh::server::validate_sshd_file { + true: { + $sshd_validate_cmd = '/usr/sbin/sshd -tf %' + } + default: { + $sshd_validate_cmd = undef + } + } + + concat { $path: + ensure => present, + owner => 0, + group => 0, + mode => $mode, + validate_cmd => $sshd_validate_cmd, + notify => Service[$ssh::server::service_name], + } + + concat::fragment { "sshd_config_file ${title}": + target => $path, + content => template("${module_name}/sshd_config.erb"), + order => '00', + } +} diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index 339434e7..e924c216 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -11,6 +11,12 @@ end end -%> +<%- if @include_dir -%> +Include <%= @include_dir %>/*.conf +<%- end -%> +<%- if @include -%> +Include <%= @include %> +<%- end -%> <%- if addressfamily = @options.delete('AddressFamily') -%> AddressFamily <%= addressfamily %> <%- end -%> From 575ebc8a9973315329bb4cdc0e4bed7afe7de620 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Mon, 14 Oct 2024 18:31:35 +0200 Subject: [PATCH 215/246] update REFERENCE.md (#396) --- REFERENCE.md | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) diff --git a/REFERENCE.md b/REFERENCE.md index 4578f022..b51c3544 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -27,6 +27,7 @@ * [`ssh::client::config::user`](#ssh--client--config--user): This defined type manages a users ssh config * [`ssh::client::match_block`](#ssh--client--match_block): Add match_block to ssh client config (concat needed) * [`ssh::server::config::setting`](#ssh--server--config--setting): Internal define to managed ssh server param +* [`ssh::server::config_file`](#ssh--server--config_file): Resource type for managing a config file in the include dir. * [`ssh::server::host_key`](#ssh--server--host_key): Manage a ssh host key This module install a ssh host key in the server (basically, it is @@ -541,6 +542,10 @@ The following parameters are available in the `ssh::server` class: * [`host_priv_key_group`](#-ssh--server--host_priv_key_group) * [`default_options`](#-ssh--server--default_options) * [`ensure`](#-ssh--server--ensure) +* [`include_dir`](#-ssh--server--include_dir) +* [`include_dir_mode`](#-ssh--server--include_dir_mode) +* [`include_dir_purge`](#-ssh--server--include_dir_purge) +* [`config_files`](#-ssh--server--config_files) * [`storeconfigs_enabled`](#-ssh--server--storeconfigs_enabled) * [`options`](#-ssh--server--options) * [`validate_sshd_file`](#-ssh--server--validate_sshd_file) @@ -601,6 +606,38 @@ Ensurable param to ssh server Default value: `present` +##### `include_dir` + +Data type: `Optional[Stdlib::Absolutepath]` + +Path to sshd include directory. + +Default value: `undef` + +##### `include_dir_mode` + +Data type: `Stdlib::Filemode` + +Mode to set on the sshd include directory. + +Default value: `'0700'` + +##### `include_dir_purge` + +Data type: `Boolean` + +Purge the include directory if true. + +Default value: `true` + +##### `config_files` + +Data type: `Hash[String, Hash]` + +Hash of config files to add to the ssh include directory. + +Default value: `{}` + ##### `storeconfigs_enabled` Data type: `Boolean` @@ -835,6 +872,52 @@ Orders your setting within the config file Default value: `'10'` +### `ssh::server::config_file` + +Resource type for managing a config file in the include dir. + +#### Parameters + +The following parameters are available in the `ssh::server::config_file` defined type: + +* [`mode`](#-ssh--server--config_file--mode) +* [`include`](#-ssh--server--config_file--include) +* [`options`](#-ssh--server--config_file--options) +* [`path`](#-ssh--server--config_file--path) + +##### `mode` + +Data type: `Stdlib::Filemode` + +File mode for the config file. + +Default value: `$ssh::server::sshd_config_mode` + +##### `include` + +Data type: `Optional[Stdlib::Absolutepath]` + +Absolute path to config file to include at the top of the config file. This +is intended for including files not managed by this module (crypto policies). + +Default value: `undef` + +##### `options` + +Data type: `Hash` + +Dynamic hash for openssh server option + +Default value: `{}` + +##### `path` + +Data type: `Stdlib::Absolutepath` + + + +Default value: `"${ssh::server::include_dir}/${name}.conf"` + ### `ssh::server::host_key` Manage a ssh host key From 2b5a2a4763275a5086e7ebd2e6cfe121f6e4eb03 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 15 Oct 2024 12:00:54 +0200 Subject: [PATCH 216/246] fix tests after adding support for sshd include_dir, refs #390 (#397) --- data/RedHat-7.yaml | 2 -- metadata.json | 8 -------- spec/classes/init_spec.rb | 11 +++++++++++ spec/classes/server_spec.rb | 6 ++++++ 4 files changed, 17 insertions(+), 10 deletions(-) delete mode 100644 data/RedHat-7.yaml diff --git a/data/RedHat-7.yaml b/data/RedHat-7.yaml deleted file mode 100644 index 9ee7359d..00000000 --- a/data/RedHat-7.yaml +++ /dev/null @@ -1,2 +0,0 @@ ---- -ssh::server::host_priv_key_group: 'ssh_keys' diff --git a/metadata.json b/metadata.json index f95c111e..feb73270 100644 --- a/metadata.json +++ b/metadata.json @@ -41,14 +41,6 @@ "9" ] }, - { - "operatingsystem": "Scientific", - "operatingsystemrelease": [ - "7", - "8", - "9" - ] - }, { "operatingsystem": "Debian", "operatingsystemrelease": [ diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 285421bf..738bce0d 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -67,6 +67,17 @@ ssh_config_expected_custom = "# File managed by Puppet\n\nHostFoo\n HostName bar\nSomeOtherKey someValue\nHost *\n HashKnownHosts yes\n SendEnv LANG LC_*\n" sshd_config_default = "# File is managed by Puppet\n\nAcceptEnv LANG LC_*\nChallengeResponseAuthentication no\nPrintMotd no\nSubsystem sftp #{sftp_server_path}\nX11Forwarding yes\n" sshd_config_custom = "# File is managed by Puppet\n\nAcceptEnv LANG LC_*\nChallengeResponseAuthentication no\nPrintMotd no\nSomeOtherKey someValue\nSubsystem sftp #{sftp_server_path}\nUsePAM no\nX11Forwarding no\n" + when 'RedHat' + ssh_config_expected_default = "# File managed by Puppet\n\nHost *\n HashKnownHosts yes\n SendEnv LANG LC_*\n" + ssh_config_expected_custom = "# File managed by Puppet\n\nHostFoo\n HostName bar\nSomeOtherKey someValue\nHost *\n HashKnownHosts yes\n SendEnv LANG LC_*\n" + + if os_facts[:os]['release']['major'] == '8' + sshd_config_default = "# File is managed by Puppet\n\nAcceptEnv LANG LC_*\nChallengeResponseAuthentication no\nPrintMotd no\nSubsystem sftp #{sftp_server_path}\nUsePAM yes\nX11Forwarding yes\n" + sshd_config_custom = "# File is managed by Puppet\n\nAcceptEnv LANG LC_*\nChallengeResponseAuthentication no\nPrintMotd no\nSomeOtherKey someValue\nSubsystem sftp #{sftp_server_path}\nUsePAM no\nX11Forwarding no\n" + else + sshd_config_default = "# File is managed by Puppet\nInclude /etc/ssh/sshd_config.d/*.conf\n\nAcceptEnv LANG LC_*\nChallengeResponseAuthentication no\nPrintMotd no\nSubsystem sftp #{sftp_server_path}\nUsePAM yes\nX11Forwarding yes\n" + sshd_config_custom = "# File is managed by Puppet\nInclude /etc/ssh/sshd_config.d/*.conf\n\nAcceptEnv LANG LC_*\nChallengeResponseAuthentication no\nPrintMotd no\nSomeOtherKey someValue\nSubsystem sftp #{sftp_server_path}\nUsePAM no\nX11Forwarding no\n" + end else ssh_config_expected_default = "# File managed by Puppet\n\nHost *\n HashKnownHosts yes\n SendEnv LANG LC_*\n" ssh_config_expected_custom = "# File managed by Puppet\n\nHostFoo\n HostName bar\nSomeOtherKey someValue\nHost *\n HashKnownHosts yes\n SendEnv LANG LC_*\n" diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index 2305a986..a5266ef0 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -23,6 +23,12 @@ sshd_config_custom = case os_facts[:os]['family'] when 'Solaris' "# File is managed by Puppet\n\nChallengeResponseAuthentication no\nHostKey /etc/ssh/ssh_host_rsa_key\nHostKey /etc/ssh/ssh_host_dsa_key\nPrintMotd no\nSomeOtherKey someValue\nSubsystem sftp /some/path\nUsePAM no\nX11Forwarding no\n" + when 'RedHat' + if os_facts[:os]['release']['major'] == '8' + "# File is managed by Puppet\n\nAcceptEnv LANG LC_*\nChallengeResponseAuthentication no\nPrintMotd no\nSomeOtherKey someValue\nSubsystem sftp /some/path\nUsePAM no\nX11Forwarding no\n" + else + "# File is managed by Puppet\nInclude /etc/ssh/sshd_config.d/*.conf\n\nAcceptEnv LANG LC_*\nChallengeResponseAuthentication no\nPrintMotd no\nSomeOtherKey someValue\nSubsystem sftp /some/path\nUsePAM no\nX11Forwarding no\n" + end else "# File is managed by Puppet\n\nAcceptEnv LANG LC_*\nChallengeResponseAuthentication no\nPrintMotd no\nSomeOtherKey someValue\nSubsystem sftp /some/path\nUsePAM no\nX11Forwarding no\n" end From 2d19df9ac39cc2773b6c885f23c25988db084268 Mon Sep 17 00:00:00 2001 From: OKO Date: Tue, 24 Dec 2024 16:51:37 +0100 Subject: [PATCH 217/246] Purge and Recurse should be set together (#399) If you for whatever reason decide to change the value of purge, recurse should change with it. This is nothing new and the solution as it's implemented here is the same I have seen in other popular modules (saz-sudo, ghoneycutt-ssh) regarding the relation between purge and recurse. If you don't you can get unexpected behaviour. Related to #390 Co-authored-by: okopop --- manifests/server/config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/server/config.pp b/manifests/server/config.pp index f7cef007..4b5f45fd 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -55,7 +55,7 @@ group => 0, mode => $ssh::server::include_dir_mode, purge => $ssh::server::include_dir_purge, - recurse => true, + recurse => $ssh::server::include_dir_purge, } $ssh::server::config_files.each |$file, $params| { From c3d6aa86521dcb457e3cc0cb4a5353a5c57105b2 Mon Sep 17 00:00:00 2001 From: Rene Trippen Date: Tue, 24 Dec 2024 16:52:02 +0100 Subject: [PATCH 218/246] ssh_instance: write ciphers,macs and kex as comma-separated string (#401) As the man page of sshd_config(5) describes: "Multiple ciphers/macs/kexalgorithms must be comma-separated." Using an array or YAML list for ciphers/mac/kex results in multiple entries in sshd_config. If multiple entries are set in sshd_config, sshd takes only the first one. Fixes #400 --- templates/ssh_instance.erb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/templates/ssh_instance.erb b/templates/ssh_instance.erb index 66ae52ac..126aed4c 100644 --- a/templates/ssh_instance.erb +++ b/templates/ssh_instance.erb @@ -40,22 +40,30 @@ ListenAddress <%= listen %> <%- v.keys.sort.each do |key| -%> <%- value = v[key] -%> <%- if value.is_a?(Array) -%> + <%- if ['ciphers', 'macs', 'kexalgorithms'].include?(key.downcase) -%> + <%= key %> <%= value.join(',') %> + <%- else -%> <%- value.each do |a| -%> <%- if a != '' && a != nil -%> <%= key %> <%= bool2str(a) %> <%- end -%> <%- end -%> + <%- end -%> <%- elsif value != '' && value != nil -%> <%= key %> <%= bool2str(value) %> <%- end -%> <%- end -%> <%- else -%> <%- if v.is_a?(Array) -%> +<%- if ['ciphers', 'macs', 'kexalgorithms'].include?(k.downcase) -%> +<%= k %> <%= v.join(',') %> +<%- else -%> <%- v.each do |a| -%> <%- if a != '' && a != nil -%> <%= k %> <%= bool2str(a) %> <%- end -%> <%- end -%> +<%- end -%> <%- elsif v != nil and v != '' -%> <%= k %> <%= bool2str(v) %> <%- end -%> From 51b47780af6b051cba4df656c3d6f3f5c9b3f27e Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Wed, 25 Dec 2024 10:34:41 +0100 Subject: [PATCH 219/246] remove Ubuntu 18.04 as supported OS (#402) --- metadata.json | 1 - 1 file changed, 1 deletion(-) diff --git a/metadata.json b/metadata.json index feb73270..15748964 100644 --- a/metadata.json +++ b/metadata.json @@ -51,7 +51,6 @@ { "operatingsystem": "Ubuntu", "operatingsystemrelease": [ - "18.04", "20.04", "22.04" ] From b73264f22dedafb91b3013192a1d0a21044da94c Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Wed, 25 Dec 2024 10:44:58 +0100 Subject: [PATCH 220/246] release: v13.0.0 (#403) --- CHANGELOG.md | 11 +++++++++++ metadata.json | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1f494d20..b07ccf68 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [13.0.0] +### Removed +- BREAKING CHANGE: remove Ubuntu 18.04 as supported OS (#402) +### Fixed +- ssh_instance: write ciphers,macs and kex as comma-separated string (#401) +- Purge and Recurse should be set together (#399) +### Added +- Add support for sshd_config include files (#390) +### Changed +- Set merge behavior of ssh::server_instances to deep (#395) + ## [12.1.0] ### Added - allow puppet/systemd < 8, fixes #382 diff --git a/metadata.json b/metadata.json index 15748964..9a25f10d 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "12.1.0", + "version": "13.0.0", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "license": "Apache-2.0", From 51dd41d8e0f624ff774be47fb49ef22da83f2347 Mon Sep 17 00:00:00 2001 From: Yury Bushmelev Date: Tue, 4 Feb 2025 21:09:02 +0800 Subject: [PATCH 221/246] puppet/systemd: allow 8.x (#404) Co-authored-by: Yury Bushmelev --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 9a25f10d..60451a9d 100644 --- a/metadata.json +++ b/metadata.json @@ -17,7 +17,7 @@ }, { "name": "puppet/systemd", - "version_requirement": ">= 3.7.0 < 8.0.0" + "version_requirement": ">= 3.7.0 < 9.0.0" } ], "operatingsystem_support": [ From 3917ebe7de70f5eb17386360399c04ff60a87b1d Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 18 Feb 2025 18:13:33 +0100 Subject: [PATCH 222/246] Update from modulesync_config (#405) --- .github/ISSUE_TEMPLATE.md | 26 ++++++++++++++++++++++++++ .github/PULL_REQUEST_TEMPLATE.md | 20 ++++++++++++++++++++ .github/workflows/prepare_release.yml | 23 +++++++++++++++++++++++ .github/workflows/release.yml | 7 ------- .msync.yml | 2 +- 5 files changed, 70 insertions(+), 8 deletions(-) create mode 100644 .github/ISSUE_TEMPLATE.md create mode 100644 .github/PULL_REQUEST_TEMPLATE.md create mode 100644 .github/workflows/prepare_release.yml diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md new file mode 100644 index 00000000..593e7aa8 --- /dev/null +++ b/.github/ISSUE_TEMPLATE.md @@ -0,0 +1,26 @@ + + +## Affected Puppet, Ruby, OS and module versions/distributions + +- Puppet: +- Ruby: +- Distribution: +- Module version: + +## How to reproduce (e.g Puppet code you use) + +## What are you seeing + +## What behaviour did you expect instead + +## Output log + +## Any additional information you'd like to impart diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 00000000..342807bc --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,20 @@ + +#### Pull Request (PR) description + + +#### This Pull Request (PR) fixes the following issues + diff --git a/.github/workflows/prepare_release.yml b/.github/workflows/prepare_release.yml new file mode 100644 index 00000000..6d3b05f3 --- /dev/null +++ b/.github/workflows/prepare_release.yml @@ -0,0 +1,23 @@ +--- +# Managed by modulesync - DO NOT EDIT +# https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ + +name: 'Prepare Release' + +on: + workflow_dispatch: + inputs: + version: + description: 'Module version to be released. Must be a valid semver string without leading v. (1.2.3)' + required: false + +jobs: + release_prep: + uses: 'voxpupuli/gha-puppet/.github/workflows/prepare_release.yml@v3' + with: + version: ${{ github.event.inputs.version }} + allowed_owner: 'saz' + secrets: + # Configure secrets here: + # https://docs.github.com/en/actions/security-guides/encrypted-secrets + github_pat: '${{ secrets.PCCI_PAT_RELEASE_PREP }}' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 79fb09bf..b6079081 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,10 +21,3 @@ jobs: # https://docs.github.com/en/actions/security-guides/encrypted-secrets username: ${{ secrets.PUPPET_FORGE_USERNAME }} api_key: ${{ secrets.PUPPET_FORGE_API_KEY }} - - create-github-release: - name: Create GitHub Release - runs-on: ubuntu-latest - steps: - - name: Create GitHub release - uses: voxpupuli/gha-create-a-github-release@v1 diff --git a/.msync.yml b/.msync.yml index ac84b45d..36e892e9 100644 --- a/.msync.yml +++ b/.msync.yml @@ -2,4 +2,4 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -modulesync_config_version: '9.3.0' +modulesync_config_version: '9.4.0' From e11d5f35a1c51c758ba7f7da0b272717d2b82205 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Thu, 20 Feb 2025 16:23:52 +0100 Subject: [PATCH 223/246] release: v13.1.0 (#406) --- CHANGELOG.md | 4 ++++ metadata.json | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b07ccf68..43b6aa08 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [13.1.0] +### Added +- puppet/systemd: allow 8.x (#404) + ## [13.0.0] ### Removed - BREAKING CHANGE: remove Ubuntu 18.04 as supported OS (#402) diff --git a/metadata.json b/metadata.json index 60451a9d..aa2f83f8 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "13.0.0", + "version": "13.1.0", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "license": "Apache-2.0", From f96e1ed523b88e03edf5371b849c2a4bfc2c487f Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 15 Apr 2025 14:06:46 +0200 Subject: [PATCH 224/246] replace legacy facts in issue.net template, fixes #408 (#409) --- templates/issue.net.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/issue.net.erb b/templates/issue.net.erb index fb8ef2ab..9d81a42b 100644 --- a/templates/issue.net.erb +++ b/templates/issue.net.erb @@ -1,4 +1,4 @@ - <%= @hostname %> + <%= @facts['networking']['hostname'] %> ********* ****************************************** * This system is a restricted resource and property. * * Use your administrator assigned user-id to access. * From a5957bc1d128d28d45f7dbe880e544093f726df8 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Tue, 7 Oct 2025 17:25:53 +0200 Subject: [PATCH 225/246] metadata.json (#420) metadata.json: Replace hard tabs with whitespace --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index aa2f83f8..62d40487 100644 --- a/metadata.json +++ b/metadata.json @@ -45,7 +45,7 @@ "operatingsystem": "Debian", "operatingsystemrelease": [ "11", - "12" + "12" ] }, { From 66ab9bb7f3723e10bd687f3d68dc7e3b1a9f9af8 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Tue, 7 Oct 2025 17:32:02 +0200 Subject: [PATCH 226/246] puppet/systemd: Allow 9.x (#419) --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 62d40487..7a7faaba 100644 --- a/metadata.json +++ b/metadata.json @@ -17,7 +17,7 @@ }, { "name": "puppet/systemd", - "version_requirement": ">= 3.7.0 < 9.0.0" + "version_requirement": ">= 3.7.0 < 10.0.0" } ], "operatingsystem_support": [ From 92ee3c2313becda719f7da33881ff0ffd944189f Mon Sep 17 00:00:00 2001 From: Brian Witt Date: Sun, 26 Oct 2025 13:17:13 -0700 Subject: [PATCH 227/246] add Ubuntu 24.04 (#418) --- metadata.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index 7a7faaba..40f7eee9 100644 --- a/metadata.json +++ b/metadata.json @@ -52,7 +52,8 @@ "operatingsystem": "Ubuntu", "operatingsystemrelease": [ "20.04", - "22.04" + "22.04", + "24.04" ] }, { From 85d23d640539e35e0fd6be0e60669a2fc3d76c64 Mon Sep 17 00:00:00 2001 From: Kenyon Ralph Date: Sun, 26 Oct 2025 13:17:45 -0700 Subject: [PATCH 228/246] AIX: remove nonexistent ssh::server::ssh_known_hosts setting (#421) --- data/AIX.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/data/AIX.yaml b/data/AIX.yaml index 0ad4feaf..4cc51e15 100644 --- a/data/AIX.yaml +++ b/data/AIX.yaml @@ -4,7 +4,6 @@ ssh::server::sshd_binary: '/usr/sbin/sshd' ssh::server::sshd_config: '/etc/ssh/sshd_config' ssh::server::sshd_config_mode: '0644' ssh::server::ssh_config: '/etc/ssh/ssh_config' -ssh::server::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' ssh::server::service_name: 'sshd' ssh::sftp_server_path: '/usr/sbin/sftp-server' ssh::server::host_priv_key_group: 0 From 8f7d0834e71cd64b43a0354f52c1cd3d8539e494 Mon Sep 17 00:00:00 2001 From: Kenyon Ralph Date: Sun, 26 Oct 2025 23:35:59 -0700 Subject: [PATCH 229/246] AIX: fix ssh::client::ssh_config setting (#422) --- data/AIX.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/AIX.yaml b/data/AIX.yaml index 4cc51e15..b3a1aa5b 100644 --- a/data/AIX.yaml +++ b/data/AIX.yaml @@ -3,7 +3,7 @@ ssh::server::sshd_dir: '/etc/ssh' ssh::server::sshd_binary: '/usr/sbin/sshd' ssh::server::sshd_config: '/etc/ssh/sshd_config' ssh::server::sshd_config_mode: '0644' -ssh::server::ssh_config: '/etc/ssh/ssh_config' +ssh::client::ssh_config: '/etc/ssh/ssh_config' ssh::server::service_name: 'sshd' ssh::sftp_server_path: '/usr/sbin/sftp-server' ssh::server::host_priv_key_group: 0 From b63934cf77c033f88c80e55818cb6dccc5b41389 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 28 Oct 2025 07:07:02 +0100 Subject: [PATCH 230/246] replace puppet requirement by openvox (#425) --- metadata.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/metadata.json b/metadata.json index 40f7eee9..efe8c042 100644 --- a/metadata.json +++ b/metadata.json @@ -105,8 +105,8 @@ ], "requirements": [ { - "name": "puppet", - "version_requirement": ">= 7.0.0 < 9.0.0" + "name": "openvox", + "version_requirement": ">= 8.19.0 < 9.0.0" } ] } From 714d5c20dcdcb534273e473fa5f01da5dce4de19 Mon Sep 17 00:00:00 2001 From: Kenyon Ralph Date: Mon, 27 Oct 2025 23:13:56 -0700 Subject: [PATCH 231/246] hostkeys: remove Puppet 4 workaround (#423) Dropped Puppet 4 support in #311, v7.0.0. --- manifests/hostkeys.pp | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index 5839c1b8..47a4bdba 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -63,26 +63,18 @@ } ['dsa', 'rsa', 'ecdsa', 'ed25519'].each |String $key_type| { - # can be removed as soon as we drop support for puppet 4 - # see https://tickets.puppetlabs.com/browse/FACT-1377?jql=project%20%3D%20FACT%20AND%20fixVersion%20%3D%20%22FACT%203.12.0%22 - if $key_type == 'ecdsa' { - $key_type_real = 'ecdsa-sha2-nistp256' - } else { - $key_type_real = $key_type - } - if $key_type in $facts['ssh'] { @@sshkey { "${fqdn_real}_${key_type}": ensure => present, host_aliases => $host_aliases, - type => $key_type_real, + type => $key_type, key => $facts['ssh'][$key_type]['key'], tag => $_tags, } } else { @@sshkey { "${fqdn_real}_${key_type}": ensure => absent, - type => $key_type_real, + type => $key_type, } } } From aed42316bffdf23bf3e0560c0bd137671d01923d Mon Sep 17 00:00:00 2001 From: kbcz1989 <58665245+kbcz1989@users.noreply.github.com> Date: Tue, 28 Oct 2025 07:15:50 +0100 Subject: [PATCH 232/246] ssh_instance: write more values as comma-separated strings (#416) * ssh_instance: write gssapikexalgorithms, hostbasedacceptedkeytypes, hostkeyalgorithms and pubkeyacceptedkeytypes as comma-separated string * ssh_instance: add new version renamed parameters --- templates/ssh_instance.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/ssh_instance.erb b/templates/ssh_instance.erb index 126aed4c..8a9a4d3c 100644 --- a/templates/ssh_instance.erb +++ b/templates/ssh_instance.erb @@ -40,7 +40,7 @@ ListenAddress <%= listen %> <%- v.keys.sort.each do |key| -%> <%- value = v[key] -%> <%- if value.is_a?(Array) -%> - <%- if ['ciphers', 'macs', 'kexalgorithms'].include?(key.downcase) -%> + <%- if ['ciphers', 'macs', 'kexalgorithms', 'gssapikexalgorithms', 'hostbasedacceptedkeytypes', 'hostbasedacceptedalgorithms', 'hostkeyalgorithms', 'pubkeyacceptedkeytypes', 'pubkeyacceptedalgorithms'].include?(key.downcase) -%> <%= key %> <%= value.join(',') %> <%- else -%> <%- value.each do |a| -%> @@ -55,7 +55,7 @@ ListenAddress <%= listen %> <%- end -%> <%- else -%> <%- if v.is_a?(Array) -%> -<%- if ['ciphers', 'macs', 'kexalgorithms'].include?(k.downcase) -%> +<%- if ['ciphers', 'macs', 'kexalgorithms', 'gssapikexalgorithms', 'hostbasedacceptedkeytypes', 'hostbasedacceptedalgorithms', 'hostkeyalgorithms', 'pubkeyacceptedkeytypes', 'pubkeyacceptedalgorithms'].include?(k.downcase) -%> <%= k %> <%= v.join(',') %> <%- else -%> <%- v.each do |a| -%> From 6b5b8407a6d5a0835e6760a63426435fa75f0669 Mon Sep 17 00:00:00 2001 From: Ron Aughenbaugh Date: Tue, 28 Oct 2025 02:16:52 -0400 Subject: [PATCH 233/246] parameterize the host_priv_key_mode (#410) --- REFERENCE.md | 7 +++++++ data/common.yaml | 1 + manifests/server.pp | 4 ++++ manifests/server/host_key.pp | 4 ++-- 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index b51c3544..7b2b2958 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -540,6 +540,7 @@ The following parameters are available in the `ssh::server` class: * [`sshd_binary`](#-ssh--server--sshd_binary) * [`sshd_config_mode`](#-ssh--server--sshd_config_mode) * [`host_priv_key_group`](#-ssh--server--host_priv_key_group) +* [`host_priv_key_mode`](#-ssh--server--host_priv_key_mode) * [`default_options`](#-ssh--server--default_options) * [`ensure`](#-ssh--server--ensure) * [`include_dir`](#-ssh--server--include_dir) @@ -592,6 +593,12 @@ Data type: `Integer` Name of the group for the private host key +##### `host_priv_key_mode` + +Data type: `Stdlib::Filemode` + +Mode of the private host key + ##### `default_options` Data type: `Hash` diff --git a/data/common.yaml b/data/common.yaml index 2c9556a4..ba7d6d8c 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -22,6 +22,7 @@ ssh::client::ssh_config: '/etc/ssh/ssh_config' ssh::server::service_name: 'svc:/network/ssh:default' ssh::sftp_server_path: 'internal-sftp' ssh::server::host_priv_key_group: 0 +ssh::server::host_priv_key_mode: '0600' ssh::validate_sshd_file : false ssh::collect_enabled : true # Collect sshkey resources ssh::server::issue_net : '/etc/issue.net' diff --git a/manifests/server.pp b/manifests/server.pp index d598c1c1..4a09b523 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -26,6 +26,9 @@ # @param host_priv_key_group # Name of the group for the private host key # +# @param host_priv_key_mode +# Mode of the private host key +# # @param default_options # Default options to set, will be merged with options parameter # @@ -78,6 +81,7 @@ Stdlib::Absolutepath $sshd_binary, Stdlib::Filemode $sshd_config_mode, Integer $host_priv_key_group, + Stdlib::Filemode $host_priv_key_mode, Hash $default_options, Enum[present,absent,latest] $ensure = present, Optional[Stdlib::Absolutepath] $include_dir = undef, diff --git a/manifests/server/host_key.pp b/manifests/server/host_key.pp index ca3e1057..4a881bfa 100644 --- a/manifests/server/host_key.pp +++ b/manifests/server/host_key.pp @@ -100,7 +100,7 @@ ensure => $ensure, owner => 0, group => $ssh::server::host_priv_key_group, - mode => '0600', + mode => $ssh::server::host_priv_key_mode, path => "${ssh::server::sshd_dir}/${name}", source => $manage_priv_key_source, content => $manage_priv_key_content, @@ -121,7 +121,7 @@ ensure => $ensure, owner => 0, group => $ssh::server::host_priv_key_group, - mode => '0600', + mode => $ssh::server::host_priv_key_mode, path => "${ssh::server::sshd_dir}/${name}", show_diff => false, notify => Class['ssh::server::service'], From d5de14476152d950e41171a7a5e5f2493ba141ac Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 28 Oct 2025 07:20:53 +0100 Subject: [PATCH 234/246] Update to module template files (#415) * Update from modulesync_config * Update from modulesync_config --- .github/workflows/ci.yml | 3 +++ .github/workflows/labeler.yml | 4 ++++ .github/workflows/prepare_release.yml | 4 ++++ .github/workflows/release.yml | 3 +++ .msync.yml | 2 +- Gemfile | 14 +++++--------- Rakefile | 14 +++----------- 7 files changed, 23 insertions(+), 21 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8c32acf9..44674150 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,6 +16,9 @@ concurrency: group: ${{ github.ref_name }} cancel-in-progress: true +permissions: + contents: read + jobs: puppet: name: Puppet diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 73be88dc..eacd0b33 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -8,6 +8,10 @@ name: "Pull Request Labeler" on: pull_request_target: {} +permissions: + contents: read + pull-requests: write + jobs: labeler: permissions: diff --git a/.github/workflows/prepare_release.yml b/.github/workflows/prepare_release.yml index 6d3b05f3..1b515440 100644 --- a/.github/workflows/prepare_release.yml +++ b/.github/workflows/prepare_release.yml @@ -11,6 +11,10 @@ on: description: 'Module version to be released. Must be a valid semver string without leading v. (1.2.3)' required: false +permissions: + contents: write + pull-requests: write + jobs: release_prep: uses: 'voxpupuli/gha-puppet/.github/workflows/prepare_release.yml@v3' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b6079081..6de3c633 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,6 +10,9 @@ on: tags: - '*' +permissions: + contents: write + jobs: release: name: Release diff --git a/.msync.yml b/.msync.yml index 36e892e9..814fbd04 100644 --- a/.msync.yml +++ b/.msync.yml @@ -2,4 +2,4 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -modulesync_config_version: '9.4.0' +modulesync_config_version: '10.3.0' diff --git a/Gemfile b/Gemfile index 2ac98f89..56259860 100644 --- a/Gemfile +++ b/Gemfile @@ -4,10 +4,8 @@ source ENV['GEM_SOURCE'] || 'https://rubygems.org' group :test do - gem 'voxpupuli-test', '~> 9.0', :require => false - gem 'coveralls', :require => false - gem 'simplecov-console', :require => false - gem 'puppet_metadata', '~> 4.0', :require => false + gem 'voxpupuli-test', '~> 13.0', :require => false + gem 'puppet_metadata', '~> 5.0', :require => false end group :development do @@ -16,17 +14,15 @@ group :development do end group :system_tests do - gem 'voxpupuli-acceptance', '~> 3.0', :require => false + gem 'voxpupuli-acceptance', '~> 4.0', :require => false end group :release do - gem 'voxpupuli-release', '~> 3.0', :require => false + gem 'voxpupuli-release', '~> 5.0', :require => false end gem 'rake', :require => false -gem 'facter', ENV['FACTER_GEM_VERSION'], :require => false, :groups => [:test] -puppetversion = ENV['PUPPET_GEM_VERSION'] || [">= 7.24", "< 9"] -gem 'puppet', puppetversion, :require => false, :groups => [:test] +gem 'openvox', ENV.fetch('OPENVOX_GEM_VERSION', [">= 7", "< 9"]), :require => false, :groups => [:test] # vim: syntax=ruby diff --git a/Rakefile b/Rakefile index 9e7edf74..6922b675 100644 --- a/Rakefile +++ b/Rakefile @@ -1,30 +1,22 @@ # Managed by modulesync - DO NOT EDIT # https://voxpupuli.org/docs/updating-files-managed-with-modulesync/ -# Attempt to load voxpupuli-test (which pulls in puppetlabs_spec_helper), -# otherwise attempt to load it directly. begin require 'voxpupuli/test/rake' rescue LoadError - begin - require 'puppetlabs_spec_helper/rake_tasks' - rescue LoadError - end + # only available if gem group test is installed end -# load optional tasks for acceptance -# only available if gem group releases is installed begin require 'voxpupuli/acceptance/rake' rescue LoadError + # only available if gem group acceptance is installed end -# load optional tasks for releases -# only available if gem group releases is installed begin require 'voxpupuli/release/rake_tasks' rescue LoadError - # voxpupuli-release not present + # only available if gem group releases is installed else GCGConfig.user = 'saz' GCGConfig.project = 'puppet-ssh' From a43575950dea500771a7b3a3348b0d615cd7044e Mon Sep 17 00:00:00 2001 From: Kenyon Ralph Date: Mon, 27 Oct 2025 23:27:10 -0700 Subject: [PATCH 235/246] hostkeys: allow for excluding key types (#424) This is useful when running in FIPS mode, for example, because ed25519 keys are not FIPS-compatible, so listing them in ssh's known_hosts file causes ssh to print warnings. --- REFERENCE.md | 9 +++++++++ manifests/hostkeys.pp | 13 ++++++++++++- spec/classes/hostkeys_spec.rb | 12 ++++++++++++ 3 files changed, 33 insertions(+), 1 deletion(-) diff --git a/REFERENCE.md b/REFERENCE.md index 7b2b2958..f29b8ea3 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -420,6 +420,7 @@ The following parameters are available in the `ssh::hostkeys` class: * [`exclude_interfaces`](#-ssh--hostkeys--exclude_interfaces) * [`exclude_interfaces_re`](#-ssh--hostkeys--exclude_interfaces_re) * [`exclude_ipaddresses`](#-ssh--hostkeys--exclude_ipaddresses) +* [`exclude_key_types`](#-ssh--hostkeys--exclude_key_types) * [`use_trusted_facts`](#-ssh--hostkeys--use_trusted_facts) * [`tags`](#-ssh--hostkeys--tags) @@ -471,6 +472,14 @@ List of ip addresses to exclude Default value: `[]` +##### `exclude_key_types` + +Data type: `Array[String[1]]` + +List of key types to exclude from exported resources. + +Default value: `[]` + ##### `use_trusted_facts` Data type: `Boolean` diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index 47a4bdba..09c923f0 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -19,6 +19,9 @@ # @param exclude_ipaddresses # List of ip addresses to exclude # +# @param exclude_key_types +# List of key types to exclude from exported resources. +# # @param use_trusted_facts # Whether to use trusted or normal facts # @@ -32,6 +35,7 @@ Array $exclude_interfaces = [], Array $exclude_interfaces_re = [], Array $exclude_ipaddresses = [], + Array[String[1]] $exclude_key_types = [], Boolean $use_trusted_facts = false, Optional[Array[String[1]]] $tags = undef, ) { @@ -62,7 +66,14 @@ default => $storeconfigs_groups + $tags, } - ['dsa', 'rsa', 'ecdsa', 'ed25519'].each |String $key_type| { + [ + 'dsa', + 'rsa', + 'ecdsa', + 'ed25519', + ].filter |String[1] $key_type| { + !($key_type in $exclude_key_types) + }.each |String[1] $key_type| { if $key_type in $facts['ssh'] { @@sshkey { "${fqdn_real}_${key_type}": ensure => present, diff --git a/spec/classes/hostkeys_spec.rb b/spec/classes/hostkeys_spec.rb index 1f9dd9e4..cd42d61c 100644 --- a/spec/classes/hostkeys_spec.rb +++ b/spec/classes/hostkeys_spec.rb @@ -64,4 +64,16 @@ } end end + + context 'when filtering a key type' do + let(:params) do + { + exclude_key_types: ['ed25519'], + } + end + + it do + expect(exported_resources).not_to contain_sshkey('foo.example.com_ed25519') + end + end end From 9e0ae40a79cebd80b3a5dfd16b4d7f2025252de2 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 28 Oct 2025 08:07:36 +0100 Subject: [PATCH 236/246] add HISTORY.md (#426) --- CHANGELOG.md | 135 ++------------------------------------------------ HISTORY.md | 136 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 141 insertions(+), 130 deletions(-) create mode 100644 HISTORY.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 43b6aa08..3bfd700e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,136 +1,11 @@ # Changelog -All notable changes to this project will be documented in this file. - -The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), -and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). - -## [13.1.0] -### Added -- puppet/systemd: allow 8.x (#404) - -## [13.0.0] -### Removed -- BREAKING CHANGE: remove Ubuntu 18.04 as supported OS (#402) -### Fixed -- ssh_instance: write ciphers,macs and kex as comma-separated string (#401) -- Purge and Recurse should be set together (#399) -### Added -- Add support for sshd_config include files (#390) -### Changed -- Set merge behavior of ssh::server_instances to deep (#395) - -## [12.1.0] -### Added -- allow puppet/systemd < 8, fixes #382 -### Changed -- set sshd config mode to 0644 on AIX, fixes #371 (#383) -- use `contain` instead of `include`, fixes #367 (#387) -### Fixed -- fix tests on OpenBSD (#384) -- drop tag from concat_{file,fragment}, fixes #304 (#385) -- fix subsystem option if use_augeas = true, fixes #376 (#386) - -## [12.0.1] -### Fixed -- make ssh::hostkeys::exclude_interfaces_re parameter work properly (#380) - -## [12.0.0] -### Added -- add parameter to exclude interfaces with a regex (#378) -- Allow User to add additonal systemd options to instances (#374) -### Changed -- puppet/systemd: Allow 6.x (#364) -### Fixed -- allow ssh::server::ensure = latest, fixes #370 (#377) - -## [11.1.0] -### Fixed -- write ciphers,macs and kex as comma-separated string (#362) -- Fix "No ssh_server_version_major created with OpenSSH 9.2" (#359) - -## [11.0.0] -### Removed -- BREAKING CHANGE: drop support for puppet 6 -### Changed -- puppetlabs/concat: Allow 9.x (#354) -- puppet/systemd: Allow 5.x (#354) -- puppetlabs/stdlib: Require 9.x (#354) -### Added -- add Debian 12 as supported OS -## [10.2.0] -### Changed -- bump puppetlabs/concat to < 9.0.0 (#352) -- Replace deprecated functions (#350) - -## [10.1.0] -### Added -- Support assigning multiple tags to a hostkey (#345) -- Add AIX support (#341) -### Changed -- bump puppet/systemd to < 5.0.0 (#344) -### Fixed -- Fix for service name on latest versions of opensuse. (#343) - -## [10.0.0] -### Added -- Add support for client "match blocks" (#332, #333) -- Add data file for OpenBSD (#339) -- Add support for service_ensure/service_enable in `ssh::server::instances` (#338) -### Changed -- Use hiera instead of params.pp (#325, #328) -### Fixed -- Fix parameter lookup for `ssh::server` and `ssh::client` (#331) - -## [9.0.0] -### Added -- Support for multiple instances (#318, #319, #321) - Thanks! -### Changed -- "hostkeys.pp" isn't marked private anymore (#317) - -## [8.0.0] -### Changed -- update path to sftp server on Gentoo (#315, breaking change) - -## [7.0.2] -### Added -- allow stdlib < 9.0.0 (#314) - -## [7.0.1] -### Fixed -- ssh_config: Don't populate options that are set to undef (#312) - -## [7.0.0] -### Fixed -- Fix grammar and spelling in various places -### Changed -- Use GitHub Actions instead of TravisCI -- Update module dependencies -### Removed -- Dropped support for puppet 4 and 5 (Breaking Change) +All notable changes to this project will be documented in this file. +Each new release typically also includes the latest modulesync defaults. +These should not affect the functionality of the module. -## [6.2.0] -### Changed -- support older facter versions (#293) +## [v13.1.0](https://github.com/saz/puppet-ssh/tree/v13.1.0) (2025-02-20) -## [6.1.0] -### Fixed -- Fix absolute class name includes -- Use gid 0 instead of group name for $host_priv_key_group (#289) -- Sort hostkeys (#288) -- Do not show diff when installing a ssh private host key (#283) -- Don't populate options which have a value of `undef` (#281) ### Added -- document exclusion of interfaces and ipaddresses within hostkeys.pp (#267) -- add parameter to use trusted facts to hostkeys.pp (#226) -## [6.0.0] -### Fixed -- don't fail at deep_merge if hiera data not available, see #272 -- Fix typo in match_block example in README, see #271, #273 -### Added -- Add CHANGELOG (starting with this release), see #222 -- Test module with Puppet 6.1, see #269 -### Changed -- Convert `ipaddresses` to 4x API namespaced function, see #270 -- Allow `puppetlabs` `stdlib` and `concat` 6.x, see #280 +- puppet/systemd: allow 8.x (#404) diff --git a/HISTORY.md b/HISTORY.md new file mode 100644 index 00000000..43b6aa08 --- /dev/null +++ b/HISTORY.md @@ -0,0 +1,136 @@ +# Changelog +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [13.1.0] +### Added +- puppet/systemd: allow 8.x (#404) + +## [13.0.0] +### Removed +- BREAKING CHANGE: remove Ubuntu 18.04 as supported OS (#402) +### Fixed +- ssh_instance: write ciphers,macs and kex as comma-separated string (#401) +- Purge and Recurse should be set together (#399) +### Added +- Add support for sshd_config include files (#390) +### Changed +- Set merge behavior of ssh::server_instances to deep (#395) + +## [12.1.0] +### Added +- allow puppet/systemd < 8, fixes #382 +### Changed +- set sshd config mode to 0644 on AIX, fixes #371 (#383) +- use `contain` instead of `include`, fixes #367 (#387) +### Fixed +- fix tests on OpenBSD (#384) +- drop tag from concat_{file,fragment}, fixes #304 (#385) +- fix subsystem option if use_augeas = true, fixes #376 (#386) + +## [12.0.1] +### Fixed +- make ssh::hostkeys::exclude_interfaces_re parameter work properly (#380) + +## [12.0.0] +### Added +- add parameter to exclude interfaces with a regex (#378) +- Allow User to add additonal systemd options to instances (#374) +### Changed +- puppet/systemd: Allow 6.x (#364) +### Fixed +- allow ssh::server::ensure = latest, fixes #370 (#377) + +## [11.1.0] +### Fixed +- write ciphers,macs and kex as comma-separated string (#362) +- Fix "No ssh_server_version_major created with OpenSSH 9.2" (#359) + +## [11.0.0] +### Removed +- BREAKING CHANGE: drop support for puppet 6 +### Changed +- puppetlabs/concat: Allow 9.x (#354) +- puppet/systemd: Allow 5.x (#354) +- puppetlabs/stdlib: Require 9.x (#354) +### Added +- add Debian 12 as supported OS + +## [10.2.0] +### Changed +- bump puppetlabs/concat to < 9.0.0 (#352) +- Replace deprecated functions (#350) + +## [10.1.0] +### Added +- Support assigning multiple tags to a hostkey (#345) +- Add AIX support (#341) +### Changed +- bump puppet/systemd to < 5.0.0 (#344) +### Fixed +- Fix for service name on latest versions of opensuse. (#343) + +## [10.0.0] +### Added +- Add support for client "match blocks" (#332, #333) +- Add data file for OpenBSD (#339) +- Add support for service_ensure/service_enable in `ssh::server::instances` (#338) +### Changed +- Use hiera instead of params.pp (#325, #328) +### Fixed +- Fix parameter lookup for `ssh::server` and `ssh::client` (#331) + +## [9.0.0] +### Added +- Support for multiple instances (#318, #319, #321) - Thanks! +### Changed +- "hostkeys.pp" isn't marked private anymore (#317) + +## [8.0.0] +### Changed +- update path to sftp server on Gentoo (#315, breaking change) + +## [7.0.2] +### Added +- allow stdlib < 9.0.0 (#314) + +## [7.0.1] +### Fixed +- ssh_config: Don't populate options that are set to undef (#312) + +## [7.0.0] +### Fixed +- Fix grammar and spelling in various places +### Changed +- Use GitHub Actions instead of TravisCI +- Update module dependencies +### Removed +- Dropped support for puppet 4 and 5 (Breaking Change) + +## [6.2.0] +### Changed +- support older facter versions (#293) + +## [6.1.0] +### Fixed +- Fix absolute class name includes +- Use gid 0 instead of group name for $host_priv_key_group (#289) +- Sort hostkeys (#288) +- Do not show diff when installing a ssh private host key (#283) +- Don't populate options which have a value of `undef` (#281) +### Added +- document exclusion of interfaces and ipaddresses within hostkeys.pp (#267) +- add parameter to use trusted facts to hostkeys.pp (#226) + +## [6.0.0] +### Fixed +- don't fail at deep_merge if hiera data not available, see #272 +- Fix typo in match_block example in README, see #271, #273 +### Added +- Add CHANGELOG (starting with this release), see #222 +- Test module with Puppet 6.1, see #269 +### Changed +- Convert `ipaddresses` to 4x API namespaced function, see #270 +- Allow `puppetlabs` `stdlib` and `concat` 6.x, see #280 From 6a2e4ca7db488f635e09221cfd40ce7da535c488 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 28 Oct 2025 08:10:38 +0100 Subject: [PATCH 237/246] fix version numbers in HISTORY.md (#427) --- HISTORY.md | 111 ++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 93 insertions(+), 18 deletions(-) diff --git a/HISTORY.md b/HISTORY.md index 43b6aa08..b3b03c3d 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,136 +1,211 @@ # Changelog + All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## [13.1.0] +## [v13.1.0] + ### Added + - puppet/systemd: allow 8.x (#404) -## [13.0.0] +## [v13.0.0] + ### Removed + - BREAKING CHANGE: remove Ubuntu 18.04 as supported OS (#402) + ### Fixed + - ssh_instance: write ciphers,macs and kex as comma-separated string (#401) - Purge and Recurse should be set together (#399) + ### Added + - Add support for sshd_config include files (#390) + ### Changed + - Set merge behavior of ssh::server_instances to deep (#395) -## [12.1.0] +## [v12.1.0] + ### Added + - allow puppet/systemd < 8, fixes #382 + ### Changed + - set sshd config mode to 0644 on AIX, fixes #371 (#383) - use `contain` instead of `include`, fixes #367 (#387) + ### Fixed + - fix tests on OpenBSD (#384) - drop tag from concat_{file,fragment}, fixes #304 (#385) - fix subsystem option if use_augeas = true, fixes #376 (#386) -## [12.0.1] +## [v12.0.1] + ### Fixed + - make ssh::hostkeys::exclude_interfaces_re parameter work properly (#380) -## [12.0.0] +## [v12.0.0] + ### Added + - add parameter to exclude interfaces with a regex (#378) - Allow User to add additonal systemd options to instances (#374) + ### Changed + - puppet/systemd: Allow 6.x (#364) + ### Fixed + - allow ssh::server::ensure = latest, fixes #370 (#377) -## [11.1.0] +## [v11.1.0] + ### Fixed + - write ciphers,macs and kex as comma-separated string (#362) - Fix "No ssh_server_version_major created with OpenSSH 9.2" (#359) -## [11.0.0] +## [v11.0.0] + ### Removed + - BREAKING CHANGE: drop support for puppet 6 + ### Changed + - puppetlabs/concat: Allow 9.x (#354) - puppet/systemd: Allow 5.x (#354) - puppetlabs/stdlib: Require 9.x (#354) + ### Added + - add Debian 12 as supported OS -## [10.2.0] +## [v10.2.0] + ### Changed + - bump puppetlabs/concat to < 9.0.0 (#352) - Replace deprecated functions (#350) -## [10.1.0] +## [v10.1.0] + ### Added + - Support assigning multiple tags to a hostkey (#345) - Add AIX support (#341) + ### Changed + - bump puppet/systemd to < 5.0.0 (#344) + ### Fixed + - Fix for service name on latest versions of opensuse. (#343) -## [10.0.0] +## [v10.0.0] + ### Added + - Add support for client "match blocks" (#332, #333) - Add data file for OpenBSD (#339) - Add support for service_ensure/service_enable in `ssh::server::instances` (#338) + ### Changed + - Use hiera instead of params.pp (#325, #328) + ### Fixed + - Fix parameter lookup for `ssh::server` and `ssh::client` (#331) -## [9.0.0] +## [v9.0.0] + ### Added + - Support for multiple instances (#318, #319, #321) - Thanks! + ### Changed + - "hostkeys.pp" isn't marked private anymore (#317) -## [8.0.0] +## [v8.0.0] + ### Changed + - update path to sftp server on Gentoo (#315, breaking change) -## [7.0.2] +## [v7.0.2] + ### Added + - allow stdlib < 9.0.0 (#314) -## [7.0.1] +## [v7.0.1] + ### Fixed + - ssh_config: Don't populate options that are set to undef (#312) -## [7.0.0] +## [v7.0.0] + ### Fixed + - Fix grammar and spelling in various places + ### Changed + - Use GitHub Actions instead of TravisCI - Update module dependencies + ### Removed + - Dropped support for puppet 4 and 5 (Breaking Change) -## [6.2.0] +## [v6.2.0] + ### Changed + - support older facter versions (#293) -## [6.1.0] +## [v6.1.0] + ### Fixed + - Fix absolute class name includes - Use gid 0 instead of group name for $host_priv_key_group (#289) - Sort hostkeys (#288) - Do not show diff when installing a ssh private host key (#283) - Don't populate options which have a value of `undef` (#281) + ### Added + - document exclusion of interfaces and ipaddresses within hostkeys.pp (#267) - add parameter to use trusted facts to hostkeys.pp (#226) -## [6.0.0] +## [v6.0.0] + ### Fixed + - don't fail at deep_merge if hiera data not available, see #272 - Fix typo in match_block example in README, see #271, #273 + ### Added + - Add CHANGELOG (starting with this release), see #222 - Test module with Puppet 6.1, see #269 + ### Changed + - Convert `ipaddresses` to 4x API namespaced function, see #270 - Allow `puppetlabs` `stdlib` and `concat` 6.x, see #280 From ac780d38fafd3dd49bcc1eeacdb9eeb6bf89c0f1 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 28 Oct 2025 11:00:57 +0100 Subject: [PATCH 238/246] Release 14.0.0 (#428) Co-authored-by: Release Automation --- CHANGELOG.md | 246 +++++++++++++++++++++++++++++++++++++++++++++++++- metadata.json | 2 +- 2 files changed, 246 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3bfd700e..ee458f8f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,8 +4,252 @@ All notable changes to this project will be documented in this file. Each new release typically also includes the latest modulesync defaults. These should not affect the functionality of the module. -## [v13.1.0](https://github.com/saz/puppet-ssh/tree/v13.1.0) (2025-02-20) +## [v14.0.0](https://github.com/saz/puppet-ssh/tree/v14.0.0) (2025-10-28) + +[Full Changelog](https://github.com/saz/puppet-ssh/compare/v13.1.0...v14.0.0) + +**Breaking changes:** + +- replace puppet requirement by openvox [\#425](https://github.com/saz/puppet-ssh/pull/425) ([saz](https://github.com/saz)) +- hostkeys: remove Puppet 4 workaround [\#423](https://github.com/saz/puppet-ssh/pull/423) ([kenyon](https://github.com/kenyon)) + +**Implemented enhancements:** + +- hostkeys: allow for excluding key types [\#424](https://github.com/saz/puppet-ssh/pull/424) ([kenyon](https://github.com/kenyon)) +- puppet/systemd: Allow 9.x [\#419](https://github.com/saz/puppet-ssh/pull/419) ([bastelfreak](https://github.com/bastelfreak)) +- Add Ubuntu 24.04 [\#418](https://github.com/saz/puppet-ssh/pull/418) ([bwitt](https://github.com/bwitt)) +- Parameterize mode of private key. [\#410](https://github.com/saz/puppet-ssh/pull/410) ([mojibake-umd](https://github.com/mojibake-umd)) + +**Fixed bugs:** + +- AIX: fix `ssh::client::ssh_config` setting [\#422](https://github.com/saz/puppet-ssh/pull/422) ([kenyon](https://github.com/kenyon)) +- AIX: remove nonexistent `ssh::server::ssh_known_hosts` setting [\#421](https://github.com/saz/puppet-ssh/pull/421) ([kenyon](https://github.com/kenyon)) +- ssh\_instance: write more values as comma-separated strings [\#416](https://github.com/saz/puppet-ssh/pull/416) ([kbcz1989](https://github.com/kbcz1989)) +- replace legacy facts in issue.net template, fixes \#408 [\#409](https://github.com/saz/puppet-ssh/pull/409) ([saz](https://github.com/saz)) + +**Closed issues:** + +- Add support for Ubuntu 24.04 [\#417](https://github.com/saz/puppet-ssh/issues/417) +- hostkeys: exclude ip classes for hostkey [\#413](https://github.com/saz/puppet-ssh/issues/413) +- Legacy fact hostname referenced in template erb file [\#408](https://github.com/saz/puppet-ssh/issues/408) + +**Merged pull requests:** + +- fix version numbers in HISTORY.md [\#427](https://github.com/saz/puppet-ssh/pull/427) ([saz](https://github.com/saz)) +- add HISTORY.md [\#426](https://github.com/saz/puppet-ssh/pull/426) ([saz](https://github.com/saz)) +- metadata.json [\#420](https://github.com/saz/puppet-ssh/pull/420) ([bastelfreak](https://github.com/bastelfreak)) + +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [v13.1.0] ### Added - puppet/systemd: allow 8.x (#404) + +## [v13.0.0] + +### Removed + +- BREAKING CHANGE: remove Ubuntu 18.04 as supported OS (#402) + +### Fixed + +- ssh_instance: write ciphers,macs and kex as comma-separated string (#401) +- Purge and Recurse should be set together (#399) + +### Added + +- Add support for sshd_config include files (#390) + +### Changed + +- Set merge behavior of ssh::server_instances to deep (#395) + +## [v12.1.0] + +### Added + +- allow puppet/systemd < 8, fixes #382 + +### Changed + +- set sshd config mode to 0644 on AIX, fixes #371 (#383) +- use `contain` instead of `include`, fixes #367 (#387) + +### Fixed + +- fix tests on OpenBSD (#384) +- drop tag from concat_{file,fragment}, fixes #304 (#385) +- fix subsystem option if use_augeas = true, fixes #376 (#386) + +## [v12.0.1] + +### Fixed + +- make ssh::hostkeys::exclude_interfaces_re parameter work properly (#380) + +## [v12.0.0] + +### Added + +- add parameter to exclude interfaces with a regex (#378) +- Allow User to add additonal systemd options to instances (#374) + +### Changed + +- puppet/systemd: Allow 6.x (#364) + +### Fixed + +- allow ssh::server::ensure = latest, fixes #370 (#377) + +## [v11.1.0] + +### Fixed + +- write ciphers,macs and kex as comma-separated string (#362) +- Fix "No ssh_server_version_major created with OpenSSH 9.2" (#359) + +## [v11.0.0] + +### Removed + +- BREAKING CHANGE: drop support for puppet 6 + +### Changed + +- puppetlabs/concat: Allow 9.x (#354) +- puppet/systemd: Allow 5.x (#354) +- puppetlabs/stdlib: Require 9.x (#354) + +### Added + +- add Debian 12 as supported OS + +## [v10.2.0] + +### Changed + +- bump puppetlabs/concat to < 9.0.0 (#352) +- Replace deprecated functions (#350) + +## [v10.1.0] + +### Added + +- Support assigning multiple tags to a hostkey (#345) +- Add AIX support (#341) + +### Changed + +- bump puppet/systemd to < 5.0.0 (#344) + +### Fixed + +- Fix for service name on latest versions of opensuse. (#343) + +## [v10.0.0] + +### Added + +- Add support for client "match blocks" (#332, #333) +- Add data file for OpenBSD (#339) +- Add support for service_ensure/service_enable in `ssh::server::instances` (#338) + +### Changed + +- Use hiera instead of params.pp (#325, #328) + +### Fixed + +- Fix parameter lookup for `ssh::server` and `ssh::client` (#331) + +## [v9.0.0] + +### Added + +- Support for multiple instances (#318, #319, #321) - Thanks! + +### Changed + +- "hostkeys.pp" isn't marked private anymore (#317) + +## [v8.0.0] + +### Changed + +- update path to sftp server on Gentoo (#315, breaking change) + +## [v7.0.2] + +### Added + +- allow stdlib < 9.0.0 (#314) + +## [v7.0.1] + +### Fixed + +- ssh_config: Don't populate options that are set to undef (#312) + +## [v7.0.0] + +### Fixed + +- Fix grammar and spelling in various places + +### Changed + +- Use GitHub Actions instead of TravisCI +- Update module dependencies + +### Removed + +- Dropped support for puppet 4 and 5 (Breaking Change) + +## [v6.2.0] + +### Changed + +- support older facter versions (#293) + +## [v6.1.0] + +### Fixed + +- Fix absolute class name includes +- Use gid 0 instead of group name for $host_priv_key_group (#289) +- Sort hostkeys (#288) +- Do not show diff when installing a ssh private host key (#283) +- Don't populate options which have a value of `undef` (#281) + +### Added + +- document exclusion of interfaces and ipaddresses within hostkeys.pp (#267) +- add parameter to use trusted facts to hostkeys.pp (#226) + +## [v6.0.0] + +### Fixed + +- don't fail at deep_merge if hiera data not available, see #272 +- Fix typo in match_block example in README, see #271, #273 + +### Added + +- Add CHANGELOG (starting with this release), see #222 +- Test module with Puppet 6.1, see #269 + +### Changed + +- Convert `ipaddresses` to 4x API namespaced function, see #270 +- Allow `puppetlabs` `stdlib` and `concat` 6.x, see #280 + + +\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)* diff --git a/metadata.json b/metadata.json index efe8c042..fcb9957e 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "13.1.0", + "version": "14.0.0", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "license": "Apache-2.0", From 7bbbac8f773e56bbb5cbb0d256dc318dd5dbd119 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 28 Oct 2025 17:48:17 +0100 Subject: [PATCH 239/246] Fix ssh hostkeys export after merging #423 (#429) Without the workaround, we should use the ssh key type stored in the fact, as `ecdsa` isn't a valid key type. See https://www.puppet.com/docs/puppet/7/core_facts.html#ssh for valid names in the `ssh` fact --- manifests/hostkeys.pp | 17 +++++++++++++---- spec/classes/hostkeys_spec.rb | 6 +++--- 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp index 09c923f0..19d05cec 100644 --- a/manifests/hostkeys.pp +++ b/manifests/hostkeys.pp @@ -78,14 +78,23 @@ @@sshkey { "${fqdn_real}_${key_type}": ensure => present, host_aliases => $host_aliases, - type => $key_type, + type => $facts['ssh'][$key_type]['type'], key => $facts['ssh'][$key_type]['key'], tag => $_tags, } } else { - @@sshkey { "${fqdn_real}_${key_type}": - ensure => absent, - type => $key_type, + if $key_type == 'ecdsa' { + ['ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521'].each |String[1] $kt| { + @@sshkey { "${fqdn_real}_${kt}": + ensure => absent, + type => $kt, + } + } + } else { + @@sshkey { "${fqdn_real}_${key_type}": + ensure => absent, + type => $key_type, + } } } } diff --git a/spec/classes/hostkeys_spec.rb b/spec/classes/hostkeys_spec.rb index cd42d61c..e341077d 100644 --- a/spec/classes/hostkeys_spec.rb +++ b/spec/classes/hostkeys_spec.rb @@ -19,7 +19,7 @@ expect(exported_resources).to contain_sshkey("foo.example.com_#{key_type}"). with( ensure: 'present', - type: %r{^#{key_type}}, + type: %r{^ssh-#{key_type}}, tag: %w[group1 group2] ) } @@ -38,7 +38,7 @@ expect(exported_resources).to contain_sshkey("foo.example.com_#{key_type}"). with( ensure: 'present', - type: %r{^#{key_type}}, + type: %r{^ssh-#{key_type}}, tag: %w[hostkey_all hostkey_server_group] ) } @@ -58,7 +58,7 @@ expect(exported_resources).to contain_sshkey("foo.example.com_#{key_type}"). with( ensure: 'present', - type: %r{^#{key_type}}, + type: %r{^ssh-#{key_type}}, tag: %w[hostkey_all hostkey_server_group group1 group2] ) } From 2db88702465e7aa6873749cede422b07a0bba5c3 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 28 Oct 2025 17:55:37 +0100 Subject: [PATCH 240/246] Release 14.0.1 (#430) Co-authored-by: Release Automation --- CHANGELOG.md | 8 ++++++++ metadata.json | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ee458f8f..c0e49901 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file. Each new release typically also includes the latest modulesync defaults. These should not affect the functionality of the module. +## [v14.0.1](https://github.com/saz/puppet-ssh/tree/v14.0.1) (2025-10-28) + +[Full Changelog](https://github.com/saz/puppet-ssh/compare/v14.0.0...v14.0.1) + +**Fixed bugs:** + +- Fix ssh hostkeys export after merging \#423 [\#429](https://github.com/saz/puppet-ssh/pull/429) ([saz](https://github.com/saz)) + ## [v14.0.0](https://github.com/saz/puppet-ssh/tree/v14.0.0) (2025-10-28) [Full Changelog](https://github.com/saz/puppet-ssh/compare/v13.1.0...v14.0.0) diff --git a/metadata.json b/metadata.json index fcb9957e..ac17fadc 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "14.0.0", + "version": "14.0.1", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "license": "Apache-2.0", From c6af70edbd009695773e90b0ffd9247f5c1672a9 Mon Sep 17 00:00:00 2001 From: Marek Pastierik Date: Thu, 30 Oct 2025 09:44:46 +0100 Subject: [PATCH 241/246] Change variable type to String for ssh::server::ensure (#432) --- REFERENCE.md | 2 +- manifests/server.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index f29b8ea3..4644646e 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -616,7 +616,7 @@ Default options to set, will be merged with options parameter ##### `ensure` -Data type: `Enum[present,absent,latest]` +Data type: `String` Ensurable param to ssh server diff --git a/manifests/server.pp b/manifests/server.pp index 4a09b523..35c39077 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -83,7 +83,7 @@ Integer $host_priv_key_group, Stdlib::Filemode $host_priv_key_mode, Hash $default_options, - Enum[present,absent,latest] $ensure = present, + String $ensure = present, Optional[Stdlib::Absolutepath] $include_dir = undef, Stdlib::Filemode $include_dir_mode = '0700', Boolean $include_dir_purge = true, From d0cacee773dcf970444a23e1334d6015aaf79297 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Thu, 30 Oct 2025 10:31:56 +0100 Subject: [PATCH 242/246] Release 14.0.2 (#433) Co-authored-by: Release Automation --- CHANGELOG.md | 12 ++++++++++++ metadata.json | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c0e49901..13b3146b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file. Each new release typically also includes the latest modulesync defaults. These should not affect the functionality of the module. +## [v14.0.2](https://github.com/saz/puppet-ssh/tree/v14.0.2) (2025-10-30) + +[Full Changelog](https://github.com/saz/puppet-ssh/compare/v14.0.1...v14.0.2) + +**Fixed bugs:** + +- Change variable type to String for ssh::server::ensure [\#432](https://github.com/saz/puppet-ssh/pull/432) ([marek130](https://github.com/marek130)) + +**Closed issues:** + +- Misleading parameter [\#431](https://github.com/saz/puppet-ssh/issues/431) + ## [v14.0.1](https://github.com/saz/puppet-ssh/tree/v14.0.1) (2025-10-28) [Full Changelog](https://github.com/saz/puppet-ssh/compare/v14.0.0...v14.0.1) diff --git a/metadata.json b/metadata.json index ac17fadc..70f49099 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "14.0.1", + "version": "14.0.2", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "license": "Apache-2.0", From cdc4275ea64c24ddd52276ca3dee23aa743e9d55 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Thu, 30 Oct 2025 15:38:08 +0100 Subject: [PATCH 243/246] set KbdInteractiveAuthentication on newer SSH versions (#434) --- README.md | 10 +++++++--- data/AIX.yaml | 5 ++--- data/OpenBSD.yaml | 1 - data/Solaris.yaml | 3 +-- data/common.yaml | 1 - manifests/server.pp | 7 ++++++- spec/classes/server_spec.rb | 10 ++++++++++ 7 files changed, 26 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 4dc01202..2f012953 100644 --- a/README.md +++ b/README.md @@ -7,9 +7,9 @@ [![Build Status](https://github.com/saz/puppet-ssh/workflows/CI/badge.svg)](https://github.com/saz/puppet-ssh/actions?query=workflow%3ACI) Manage SSH client and server via Puppet. -Source: https://github.com/saz/puppet-ssh ## Requirements + * Exported resources for host keys management * puppetlabs/stdlib * puppetlabs/concat @@ -31,6 +31,7 @@ options => { This is working for both, client and server. ### Both client, server and per user client configuration + Host keys will be collected and distributed unless `storeconfigs_enabled` is `false`. @@ -71,6 +72,7 @@ class { 'ssh': ``` ### Hiera example + ```yaml ssh::storeconfigs_enabled: true @@ -106,6 +108,7 @@ ssh::users_client_options: ``` ### Client only + Collected host keys from servers will be written to `known_hosts` unless `storeconfigs_enabled` is `false` @@ -189,6 +192,7 @@ SSH configuration file will be `/var/lib/bob/.ssh/config`. ``` ### Server only + Host keys will be collected for client distribution unless `storeconfigs_enabled` is `false` @@ -226,7 +230,6 @@ class { 'ssh::server': } ``` - ## Default options ### Client @@ -251,6 +254,7 @@ class { 'ssh::server': ``` ## Overwriting default options + Default options will be merged with options passed in. If an option is set both as default and via options parameter, the latter will win. @@ -305,6 +309,7 @@ PasswordAuthentication no ``` ## Defining host keys for server + You can define host keys your server will use ```puppet @@ -327,7 +332,6 @@ ssh::server::host_key {'ssh_host_rsa_key': Both of these definitions will create ```/etc/ssh/ssh_host_rsa_key``` and ```/etc/ssh/ssh_host_rsa_key.pub``` and restart sshd daemon. - ## Adding custom match blocks ```puppet diff --git a/data/AIX.yaml b/data/AIX.yaml index b3a1aa5b..21c3df57 100644 --- a/data/AIX.yaml +++ b/data/AIX.yaml @@ -8,9 +8,8 @@ ssh::server::service_name: 'sshd' ssh::sftp_server_path: '/usr/sbin/sftp-server' ssh::server::host_priv_key_group: 0 ssh::server::default_options: - AcceptEnv: 'LANG LC_*' - ChallengeResponseAuthentication: 'no' + X11Forwarding: 'yes' PrintMotd: 'no' + AcceptEnv: 'LANG LC_*' Subsystem: "sftp %{lookup('ssh::sftp_server_path')}" UsePAM: 'no' - X11Forwarding: 'yes' diff --git a/data/OpenBSD.yaml b/data/OpenBSD.yaml index bc486174..e96aff2a 100644 --- a/data/OpenBSD.yaml +++ b/data/OpenBSD.yaml @@ -7,7 +7,6 @@ ssh::server::service_name: 'sshd' ssh::sftp_server_path: '/usr/libexec/sftp-server' ssh::server::host_priv_key_group: 0 ssh::server::default_options: - ChallengeResponseAuthentication: 'no' X11Forwarding: 'yes' PrintMotd: 'no' AcceptEnv: 'LANG LC_*' diff --git a/data/Solaris.yaml b/data/Solaris.yaml index 1c35486c..bf1c4e79 100644 --- a/data/Solaris.yaml +++ b/data/Solaris.yaml @@ -6,12 +6,11 @@ ssh::server::service_name: 'svc:/network/ssh:default' ssh::sftp_server_path: 'internal-sftp' ssh::server::default_options: - ChallengeResponseAuthentication: 'no' X11Forwarding: 'yes' PrintMotd: 'no' Subsystem: "sftp %{lookup('ssh::sftp_server_path')}" HostKey: - "%{lookup('ssh::server::sshd_dir')}/ssh_host_rsa_key" - "%{lookup('ssh::server::sshd_dir')}/ssh_host_dsa_key" - + ssh::client::default_options: {} diff --git a/data/common.yaml b/data/common.yaml index ba7d6d8c..16223f07 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -29,7 +29,6 @@ ssh::server::issue_net : '/etc/issue.net' ssh::knownhosts::collect_enabled : true ssh::server::default_options: - ChallengeResponseAuthentication: 'no' X11Forwarding: 'yes' PrintMotd: 'no' AcceptEnv: 'LANG LC_*' diff --git a/manifests/server.pp b/manifests/server.pp index 35c39077..123cf3da 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -101,7 +101,12 @@ if $use_augeas { $merged_options = sshserver_options_to_augeas_sshd_config($options, $options_absent, { 'target' => $ssh::server::sshd_config }) } else { - $merged_options = deep_merge($default_options, $options) + if $facts['ssh_server_version_release'] and versioncmp($facts['ssh_server_version_release'], '8.6') >= 0 { + $default_options_real = $default_options + { 'KbdInteractiveAuthentication' => 'no' } + } else { + $default_options_real = $default_options + { 'ChallengeResponseAuthentication' => 'no' } + } + $merged_options = deep_merge($default_options_real, $options) } contain ssh::server::install diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index a5266ef0..afc34654 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -7,6 +7,16 @@ context "on #{os}" do let(:facts) { os_facts } + case os_facts[:os]['name'] + when 'Debian' + context 'with ssh_server_version_release set to 10.0', if: os_facts[:os]['release']['major'] == '12' do + let(:facts) { os_facts.merge(ssh_server_version_release: '10.0') } + + sshd_config = "# File is managed by Puppet\n\nAcceptEnv LANG LC_*\nKbdInteractiveAuthentication no\nPrintMotd no\nSubsystem sftp /usr/lib/openssh/sftp-server\nUsePAM yes\nX11Forwarding yes\n" + it { is_expected.to contain_concat__fragment('global config').with_content(sshd_config) } + end + end + svc_name = case os_facts[:os]['family'] when 'Debian' 'ssh' From 6902474932fd9b047e3568894b23ee7a25075272 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Thu, 30 Oct 2025 15:38:54 +0100 Subject: [PATCH 244/246] use proper sshd binary location in config validate command (#435) --- manifests/server/config.pp | 2 +- manifests/server/config_file.pp | 2 +- manifests/server/instances.pp | 2 +- spec/classes/init_spec.rb | 10 +++++++++- spec/classes/server_spec.rb | 21 ++++++++++++++++++++- 5 files changed, 32 insertions(+), 5 deletions(-) diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 4b5f45fd..2c78b5eb 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -11,7 +11,7 @@ case $ssh::server::validate_sshd_file { true: { - $sshd_validate_cmd = '/usr/sbin/sshd -tf %' + $sshd_validate_cmd = "${ssh::server::sshd_binary} -tf %" } default: { $sshd_validate_cmd = undef diff --git a/manifests/server/config_file.pp b/manifests/server/config_file.pp index a9930240..c122e2f4 100644 --- a/manifests/server/config_file.pp +++ b/manifests/server/config_file.pp @@ -22,7 +22,7 @@ case $ssh::server::validate_sshd_file { true: { - $sshd_validate_cmd = '/usr/sbin/sshd -tf %' + $sshd_validate_cmd = "${ssh::server::sshd_binary} -tf %" } default: { $sshd_validate_cmd = undef diff --git a/manifests/server/instances.pp b/manifests/server/instances.pp index 049dcd28..f366aab1 100644 --- a/manifests/server/instances.pp +++ b/manifests/server/instances.pp @@ -46,7 +46,7 @@ if $facts['kernel'] == 'Linux' { case $validate_config_file { true: { - $validate_cmd = '/usr/sbin/sshd -tf %' + $validate_cmd = "${ssh::server::sshd_binary} -tf %" } default: { $validate_cmd = undef diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 738bce0d..2246e219 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -134,7 +134,15 @@ } end - it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd('/usr/sbin/sshd -tf %') } + sshd_binary = case os_facts[:os]['family'] + when 'FreeBSD' + '/usr/local/sbin/sshd' + when 'Archlinux' + '/usr/bin/sshd' + else + '/usr/sbin/sshd' + end + it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd("#{sshd_binary} -tf %") } end context 'without resource purging' do diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index afc34654..6a843890 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -86,7 +86,26 @@ } end - it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd('/usr/sbin/sshd -tf %') } + sshd_binary = case os_facts[:os]['family'] + when 'FreeBSD' + '/usr/local/sbin/sshd' + when 'Archlinux' + '/usr/bin/sshd' + else + '/usr/sbin/sshd' + end + it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd("#{sshd_binary} -tf %") } + end + + context 'with a different sshd_binary location' do + let :params do + { + validate_sshd_file: true, + sshd_binary: '/usr/another_bin/sshd' + } + end + + it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd('/usr/another_bin/sshd -tf %') } end context 'with a different sshd_config location' do From b2eef5dc88d6de131e7392d05d0eb83a76dd0687 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Thu, 30 Oct 2025 17:06:46 +0100 Subject: [PATCH 245/246] make user/group of resources configurable (#436) --- REFERENCE.md | 39 +++++++++++++++++++++++++++++++-- data/common.yaml | 5 +++++ manifests/client.pp | 25 +++++++++++++-------- manifests/client/config.pp | 4 ++-- manifests/server.pp | 16 ++++++++++++-- manifests/server/config.pp | 12 +++++----- manifests/server/config_file.pp | 4 ++-- manifests/server/host_key.pp | 20 ++++++++--------- manifests/server/instances.pp | 4 ++-- 9 files changed, 94 insertions(+), 35 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 4644646e..53c7fef3 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -337,6 +337,8 @@ The following parameters are available in the `ssh::client` class: * [`options_absent`](#-ssh--client--options_absent) * [`default_options`](#-ssh--client--default_options) * [`match_block`](#-ssh--client--match_block) +* [`config_user`](#-ssh--client--config_user) +* [`config_group`](#-ssh--client--config_group) ##### `ssh_config` @@ -406,6 +408,18 @@ Add ssh match_block (with concat) Default value: `{}` +##### `config_user` + +Data type: `Variant[Integer, String[1]]` + +Numeric id or name of the user for the config file + +##### `config_group` + +Data type: `Variant[Integer, String[1]]` + +Numeric id or name of the group for the config file + ### `ssh::hostkeys` This class manages hostkeys @@ -548,8 +562,11 @@ The following parameters are available in the `ssh::server` class: * [`sshd_dir`](#-ssh--server--sshd_dir) * [`sshd_binary`](#-ssh--server--sshd_binary) * [`sshd_config_mode`](#-ssh--server--sshd_config_mode) +* [`host_priv_key_user`](#-ssh--server--host_priv_key_user) * [`host_priv_key_group`](#-ssh--server--host_priv_key_group) * [`host_priv_key_mode`](#-ssh--server--host_priv_key_mode) +* [`config_user`](#-ssh--server--config_user) +* [`config_group`](#-ssh--server--config_group) * [`default_options`](#-ssh--server--default_options) * [`ensure`](#-ssh--server--ensure) * [`include_dir`](#-ssh--server--include_dir) @@ -596,11 +613,17 @@ Data type: `Stdlib::Filemode` Mode to set on the sshd config file +##### `host_priv_key_user` + +Data type: `Variant[Integer, String[1]]` + +Numeric id or name of the user for the private host key + ##### `host_priv_key_group` -Data type: `Integer` +Data type: `Variant[Integer, String[1]]` -Name of the group for the private host key +Numeric id or name of the group for the private host key ##### `host_priv_key_mode` @@ -608,6 +631,18 @@ Data type: `Stdlib::Filemode` Mode of the private host key +##### `config_user` + +Data type: `Variant[Integer, String[1]]` + +Numeric id or name of the user for the sshd config file + +##### `config_group` + +Data type: `Variant[Integer, String[1]]` + +Numeric id or name of the group for the sshd config file + ##### `default_options` Data type: `Hash` diff --git a/data/common.yaml b/data/common.yaml index 16223f07..cfc822e6 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -21,6 +21,11 @@ ssh::server::sshd_config_mode: '0600' ssh::client::ssh_config: '/etc/ssh/ssh_config' ssh::server::service_name: 'svc:/network/ssh:default' ssh::sftp_server_path: 'internal-sftp' +ssh::client::config_user: 0 +ssh::client::config_group: 0 +ssh::server::config_user: 0 +ssh::server::config_group: 0 +ssh::server::host_priv_key_user: 0 ssh::server::host_priv_key_group: 0 ssh::server::host_priv_key_mode: '0600' ssh::validate_sshd_file : false diff --git a/manifests/client.pp b/manifests/client.pp index dd450646..73e4fc2c 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -35,16 +35,23 @@ # @param match_block # Add ssh match_block (with concat) # +# @param config_user +# Numeric id or name of the user for the config file +# @param config_group +# Numeric id or name of the group for the config file +# class ssh::client ( - Stdlib::Absolutepath $ssh_config, - Hash $default_options, - Optional[String[1]] $client_package_name = undef, - String $ensure = present, - Boolean $storeconfigs_enabled = true, - Hash $options = {}, - Boolean $use_augeas = false, - Array $options_absent = [], - Hash $match_block = {}, + Stdlib::Absolutepath $ssh_config, + Hash $default_options, + Variant[Integer, String[1]] $config_user, + Variant[Integer, String[1]] $config_group, + Optional[String[1]] $client_package_name = undef, + String $ensure = present, + Boolean $storeconfigs_enabled = true, + Hash $options = {}, + Boolean $use_augeas = false, + Array $options_absent = [], + Hash $match_block = {}, ) { if $use_augeas { $merged_options = sshclient_options_to_augeas_ssh_config($options, $options_absent, { 'target' => $ssh_config }) diff --git a/manifests/client/config.pp b/manifests/client/config.pp index 40c3ca2e..2547add7 100644 --- a/manifests/client/config.pp +++ b/manifests/client/config.pp @@ -18,8 +18,8 @@ } else { concat { $ssh::client::ssh_config: ensure => present, - owner => 0, - group => 0, + owner => $ssh::client::config_user, + group => $ssh::client::config_group, mode => '0644', } diff --git a/manifests/server.pp b/manifests/server.pp index 123cf3da..3e040a80 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -23,12 +23,21 @@ # @param sshd_config_mode # Mode to set on the sshd config file # +# @param host_priv_key_user +# Numeric id or name of the user for the private host key +# # @param host_priv_key_group -# Name of the group for the private host key +# Numeric id or name of the group for the private host key # # @param host_priv_key_mode # Mode of the private host key # +# @param config_user +# Numeric id or name of the user for the sshd config file +# +# @param config_group +# Numeric id or name of the group for the sshd config file +# # @param default_options # Default options to set, will be merged with options parameter # @@ -80,8 +89,11 @@ Stdlib::Absolutepath $sshd_dir, Stdlib::Absolutepath $sshd_binary, Stdlib::Filemode $sshd_config_mode, - Integer $host_priv_key_group, + Variant[Integer, String[1]] $host_priv_key_user, + Variant[Integer, String[1]] $host_priv_key_group, Stdlib::Filemode $host_priv_key_mode, + Variant[Integer, String[1]] $config_user, + Variant[Integer, String[1]] $config_group, Hash $default_options, String $ensure = present, Optional[Stdlib::Absolutepath] $include_dir = undef, diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 2c78b5eb..ee6c0e9c 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -34,8 +34,8 @@ } else { concat { $ssh::server::sshd_config: ensure => present, - owner => 0, - group => 0, + owner => $ssh::server::config_user, + group => $ssh::server::config_group, mode => $ssh::server::sshd_config_mode, validate_cmd => $sshd_validate_cmd, notify => Service[$ssh::server::service_name], @@ -51,8 +51,8 @@ if $ssh::server::include_dir { file { $ssh::server::include_dir: ensure => directory, - owner => 0, - group => 0, + owner => $ssh::server::config_user, + group => $ssh::server::config_group, mode => $ssh::server::include_dir_mode, purge => $ssh::server::include_dir_purge, recurse => $ssh::server::include_dir_purge, @@ -68,8 +68,8 @@ if $ssh::server::use_issue_net { file { $ssh::server::issue_net: ensure => file, - owner => 0, - group => 0, + owner => $ssh::server::config_user, + group => $ssh::server::config_group, mode => $ssh::server::sshd_config_mode, content => template("${module_name}/issue.net.erb"), notify => Service[$ssh::server::service_name], diff --git a/manifests/server/config_file.pp b/manifests/server/config_file.pp index c122e2f4..69970c24 100644 --- a/manifests/server/config_file.pp +++ b/manifests/server/config_file.pp @@ -31,8 +31,8 @@ concat { $path: ensure => present, - owner => 0, - group => 0, + owner => $ssh::server::config_user, + group => $ssh::server::config_group, mode => $mode, validate_cmd => $sshd_validate_cmd, notify => Service[$ssh::server::service_name], diff --git a/manifests/server/host_key.pp b/manifests/server/host_key.pp index 4a881bfa..309bc6ed 100644 --- a/manifests/server/host_key.pp +++ b/manifests/server/host_key.pp @@ -87,8 +87,8 @@ if $ensure == 'present' { file { "${name}_pub": ensure => $ensure, - owner => 0, - group => 0, + owner => $ssh::server::config_user, + group => $ssh::server::config_group, mode => '0644', path => "${ssh::server::sshd_dir}/${name}.pub", source => $manage_pub_key_source, @@ -98,7 +98,7 @@ file { "${name}_priv": ensure => $ensure, - owner => 0, + owner => $ssh::server::host_priv_key_user, group => $ssh::server::host_priv_key_group, mode => $ssh::server::host_priv_key_mode, path => "${ssh::server::sshd_dir}/${name}", @@ -110,8 +110,8 @@ } else { file { "${name}_pub": ensure => $ensure, - owner => 0, - group => 0, + owner => $ssh::server::config_user, + group => $ssh::server::config_group, mode => '0644', path => "${ssh::server::sshd_dir}/${name}.pub", notify => Class['ssh::server::service'], @@ -119,7 +119,7 @@ file { "${name}_priv": ensure => $ensure, - owner => 0, + owner => $ssh::server::host_priv_key_user, group => $ssh::server::host_priv_key_group, mode => $ssh::server::host_priv_key_mode, path => "${ssh::server::sshd_dir}/${name}", @@ -132,8 +132,8 @@ if $ensure == 'present' { file { "${name}_cert": ensure => $ensure, - owner => 0, - group => 0, + owner => $ssh::server::config_user, + group => $ssh::server::config_group, mode => '0644', path => "${ssh::server::sshd_dir}/${name}-cert.pub", source => $manage_cert_source, @@ -143,8 +143,8 @@ } else { file { "${name}_cert": ensure => $ensure, - owner => 0, - group => 0, + owner => $ssh::server::config_user, + group => $ssh::server::config_group, mode => '0644', path => "${ssh::server::sshd_dir}/${name}-cert.pub", notify => Class['ssh::server::service'], diff --git a/manifests/server/instances.pp b/manifests/server/instances.pp index f366aab1..51dced39 100644 --- a/manifests/server/instances.pp +++ b/manifests/server/instances.pp @@ -55,8 +55,8 @@ concat { $sshd_instance_config_file: ensure => $ensure, - owner => 0, - group => 0, + owner => $ssh::server::config_user, + group => $ssh::server::config_group, mode => '0600', validate_cmd => $validate_cmd, notify => Service["${title}.service"], From adf712a5ff9453ad36974cbebbe60827d38d91d7 Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Thu, 30 Oct 2025 17:21:28 +0100 Subject: [PATCH 246/246] Release 14.1.0 (#437) Co-authored-by: Release Automation --- CHANGELOG.md | 13 +++++++++++++ metadata.json | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 13b3146b..dbaba9ce 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,19 @@ All notable changes to this project will be documented in this file. Each new release typically also includes the latest modulesync defaults. These should not affect the functionality of the module. +## [v14.1.0](https://github.com/saz/puppet-ssh/tree/v14.1.0) (2025-10-30) + +[Full Changelog](https://github.com/saz/puppet-ssh/compare/v14.0.2...v14.1.0) + +**Implemented enhancements:** + +- make user/group of resources configurable [\#436](https://github.com/saz/puppet-ssh/pull/436) ([saz](https://github.com/saz)) +- set KbdInteractiveAuthentication on newer SSH versions [\#434](https://github.com/saz/puppet-ssh/pull/434) ([saz](https://github.com/saz)) + +**Fixed bugs:** + +- use proper sshd binary location in config validate command [\#435](https://github.com/saz/puppet-ssh/pull/435) ([saz](https://github.com/saz)) + ## [v14.0.2](https://github.com/saz/puppet-ssh/tree/v14.0.2) (2025-10-30) [Full Changelog](https://github.com/saz/puppet-ssh/compare/v14.0.1...v14.0.2) diff --git a/metadata.json b/metadata.json index 70f49099..a9338916 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "saz-ssh", - "version": "14.0.2", + "version": "14.1.0", "author": "saz", "summary": "Manage SSH client and server via Puppet.", "license": "Apache-2.0",