-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add keychain support #98
Conversation
content key_content + "\n" | ||
owner new_resource.username | ||
group Etc.getpwnam(new_resource.username).gid | ||
mode '0600' unless key_name =~ /.pub$/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this logic is kinda arbitrary :-/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you elaborate why?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you are assuming here that the pub keys will always end in .pub. Any reason to not enforce 0400 in general without any checks?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's an assumption, but one that is always true when using ssh-keygen
unless you manually rename your private key to *.pub
. :)
It will probably do no harm to just use 600 or even 400 for all files, the idea was to stick to the defaults (of ssh-keygen) if you can - And that would be 644 for the pubkey and 600 for the private one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm okay making this assumption for now. If it breaks in the future we can remove it.
3294f45
to
e495968
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm okay with leaving the .pub
assumption, but I think there are two other changes that should be made before this is merged in.
I'm also looking to update the integration tests to use more recent distributions. Would you be willing to add integration tests for this functionality, including testing that the file modes are as-expected?
# avoid variable scoping issues in resource block | ||
key_name, key_content = name, key | ||
|
||
home = Etc.getpwnam(new_resource.username).dir |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Has this behavior been testing during a --why-run
when the user doesn't exist yet? I'm thinking you may be vulnerable to the same bug that was fixed in #89.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suppose that my implementation will have the same issue. Is there a dynamic way of fixing this (without requiring a manual group
attribute to be set)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@chr4 sorry for the delay in getting back to you. Been a busy few weeks. 😒
Looking around this file I think you might be able to work around this by using the @my_home
instance variable. It seems like this is used in a few other places where directory creation is handled. I wonder if it snuck in while this PR was sitting open.
Here are some examples of it being used:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The problem with @my_home
is, that it's just an educated guess, assuming that the home directory resides in "#{node['user']['home_root']}/#{new_resource.username}"
.
I've just stumbled over the follwing code snipped in account.rb
(which determines the gid), which seems to do exactly what we want:
def user_gid
# this check is needed as the new user won't exit yet
# in why_run mode, causing an uncaught ArgumentError exception
Etc.getpwnam(new_resource.username).gid
rescue ArgumentError
nil
end
I'd suggest adding a user_home
method in a similar fashion, which then should be used everywhere instead of @my_home
. I'd use something like this:
# Returns the user's home directory, either from the `home` attribute (if specified), or using Etc.getpwnam()
def user_home
# This check is needed as the new user won't exit yet in why_run mode,
# causing an uncaught ArgumentError exception
new_resource.home || Etc.getpwnam(new_resource.username).dir
rescue ArgumentError
nil
end
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alternatively, the new_resource.home
check can be done outside of the function: new_resource.home || user_home
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've implemented user_home
and pushed the changes. This works well for me.
key_name, key_content = name, key | ||
|
||
home = Etc.getpwnam(new_resource.username).dir | ||
r = file "#{home}/.ssh/#{name}" do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use ::File.join()
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, push incoming. There's other occasions of paths constructed using string interpolation, though. For example https://github.com/chr4-cookbooks/user/blob/e4959685d6e5db96939c0fb0e6f51bc21901437d/providers/account.rb#L182
Should those be adjusted as well then?
27819d5
to
a771a2d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was looking to get this merged in to master today, and it looks like this introduces some bugs around the user_home
/@my_home
value.
I specifically merged the master branch in to this branch and tried to run the Ubuntu 16.04 Test Kitchen test (backed by Vagrant) chef exec kitchen converge 'lwrp.*1604'.
It ends up with this stacktrace:
I've only looked at it for a few moments, but I think the issue is only when a user_account
resource is called without specifying the home directory. Might we need to provide a default value in user_home
instead of returning nil
?
It might be a good idea to squash the commits of this branch in to a single commit detailing the changes made. We can then rebase that commit against |
…directly This fixes issues with `--why-run`, which fails as the user doesn't exist yet.
a771a2d
to
3b0befc
Compare
The problem is that when creating a user, the homedir is not existent yet. Therefore The Note: I've also rebased this onto master. Please confirm that you want all commits sqashed into one. In my opinion it might be useful to have them seperated. If it makes sense to you, I'll go ahead and squash them, though. Thanks for reviewing! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@chr4 Sorry for sucking so bad as a maintainer with this change. Personal-life stuff that's now thankfully cleared up. Let me merge this and get a release cut for you ASAP.
@chr4 |
:) Thanks! Now only #65 is missing, then I can abadon my fork :) |
Allows a keychain hash to be specified, containing an ssh keypair which
will be deployed to the users homedir.