Showing with 149 additions and 2 deletions.

+1 −1 Modulefile

+18 −0 README.md

+15 −0 manifests/init.pp

+13 −1 metadata.json

+93 −0 spec/classes/init_spec.rb

+9 −0 templates/sshd_config.erb
diff --git a/Modulefile b/Modulefile
@@ -1,5 +1,5 @@
 name    'ghoneycutt-ssh'
-version '3.14.0'
+version '3.15.0'
 source 'git://github.com/ghoneycutt/puppet-module-ssh.git'
 author 'ghoneycutt'
 license 'Apache License, Version 2.0'

diff --git a/README.md b/README.md
@@ -306,6 +306,24 @@ Array of users for the DenyUsers setting in sshd_config.
 
 - *Default*: undef
 
+sshd_config_denygroups
+---------------------
+Array of groups for the DenyGroups setting in sshd_config.
+
+- *Default*: undef
+
+sshd_config_allowgroups
+-----------------------
+Array of users for the AllowGroups setting in sshd_config.
+
+- *Default*: undef
+
+sshd_config_allowusers
+-----------------------
+Array of users for the AllowUsers setting in sshd_config.
+
+- *Default*: undef
+
 keys
 ----
 Hash of keys for user's ~/.ssh/authorized_keys

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -40,6 +40,9 @@
   $sshd_config_ciphers              = undef,
   $sshd_config_macs                 = undef,
   $sshd_config_denyusers            = undef,
+  $sshd_config_denygroups           = undef,
+  $sshd_config_allowusers           = undef,
+  $sshd_config_allowgroups          = undef,
   $sshd_banner_content              = undef,
   $sshd_banner_owner                = 'root',
   $sshd_banner_group                = 'root',
@@ -352,6 +355,18 @@
     validate_array($sshd_config_denyusers)
   }
 
+  if $sshd_config_denygroups != undef {
+    validate_array($sshd_config_denygroups)
+  }
+
+  if $sshd_config_allowusers != undef {
+    validate_array($sshd_config_allowusers)
+  }
+
+  if $sshd_config_allowgroups != undef {
+    validate_array($sshd_config_allowgroups)
+  }
+
   if $ssh_config_hash_known_hosts_real != undef {
     validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.")
   }

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "ghoneycutt-ssh",
-  "version": "3.14.0",
+  "version": "3.15.0",
   "author": "ghoneycutt",
   "summary": "Manages SSH",
   "license": "Apache License, Version 2.0",
@@ -93,6 +93,18 @@
     "tests/init.pp": "423466ae46899d6a0480aa9910b096d2"
   },
   "dependencies": [
+    {
+      "name": "puppetlabs/stdlib",
+      "version_requirement": ">= 3.2.0"
+    },
+    {
+      "name": "ghoneycutt/common",
+      "version_requirement": ">= 1.0.2"
+    },
+    {
+      "name": "puppetlabs/firewall",
+      "version_requirement": ">= 0.2.1"
+    },
     {
       "name": "puppetlabs/stdlib",
       "version_requirement": ">= 3.2.0"

diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -85,6 +85,9 @@
     it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
     it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
     it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) }
+    it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) }
+    it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) }
+    it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -200,6 +203,9 @@
     it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
     it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
     it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) }
+    it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) }
+    it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) }
+    it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -297,6 +303,9 @@
     it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
     it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
     it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) }
+    it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) }
+    it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) }
+    it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -393,6 +402,9 @@
     it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
     it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
     it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) }
+    it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) }
+    it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) }
+    it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -496,6 +508,9 @@
     it { should contain_file('ssh_config').without_content(/^\s*Ciphers/) }
     it { should contain_file('ssh_config').without_content(/^\s*MACs/) }
     it { should contain_file('ssh_config').without_content(/^\s*DenyUsers/) }
+    it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) }
+    it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) }
+    it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -599,6 +614,9 @@
     it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
     it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
     it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) }
+    it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) }
+    it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) }
+    it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -702,6 +720,9 @@
     it { should contain_file('sshd_config').without_content(/^\s*Ciphers/) }
     it { should contain_file('sshd_config').without_content(/^\s*MACs/) }
     it { should contain_file('sshd_config').without_content(/^\s*DenyUsers/) }
+    it { should contain_file('sshd_config').without_content(/^\s*DenyGroups/) }
+    it { should contain_file('sshd_config').without_content(/^\s*AllowUsers/) }
+    it { should contain_file('sshd_config').without_content(/^\s*AllowGroups/) }
 
     it {
       should contain_service('sshd_service').with({
@@ -839,6 +860,15 @@
         :sshd_config_denyusers           => [ 'root',
                                               'lusers',
         ],
+        :sshd_config_denygroups          => [ 'nossh',
+                                              'wheel',
+        ],
+        :sshd_config_allowusers          => [ 'foo',
+                                              'bar',
+        ],
+        :sshd_config_allowgroups         => [ 'ssh',
+                                              'security',
+        ],
       }
     end
 
@@ -883,6 +913,9 @@
     it { should contain_file('sshd_config').with_content(/^\s*Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc$/) }
     it { should contain_file('sshd_config').with_content(/^\s*MACs hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com$/) }
     it { should contain_file('sshd_config').with_content(/^\s*DenyUsers root lusers$/) }
+    it { should contain_file('sshd_config').with_content(/^\s*DenyGroups nossh wheel$/) }
+    it { should contain_file('sshd_config').with_content(/^\s*AllowUsers foo bar$/) }
+    it { should contain_file('sshd_config').with_content(/^\s*AllowGroups ssh security$/) }
 
     it {
       should contain_file('sshd_banner').with({
@@ -1037,6 +1070,66 @@
     end
   end
 
+  [true,'invalid'].each do |denygroups|
+    context "with sshd_config_denygroups set to invalid value #{denygroups}" do
+      let(:params) { { :sshd_config_denygroups => denygroups } }
+
+      let :facts do
+        {
+          :fqdn      => 'monkey.example.com',
+          :osfamily  => 'RedHat',
+          :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
+        }
+      end
+
+      it 'should fail' do
+        expect {
+          should contain_class('ssh')
+        }.to raise_error(Puppet::Error)
+      end
+    end
+  end
+
+  [true,'invalid'].each do |allowusers|
+    context "with sshd_config_allowusers set to invalid value #{allowusers}" do
+      let(:params) { { :sshd_config_allowusers => allowusers } }
+
+      let :facts do
+        {
+          :fqdn      => 'monkey.example.com',
+          :osfamily  => 'RedHat',
+          :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
+        }
+      end
+
+      it 'should fail' do
+        expect {
+          should contain_class('ssh')
+        }.to raise_error(Puppet::Error)
+      end
+    end
+  end
+
+  [true,'invalid'].each do |allowgroups|
+    context "with sshd_config_allowgroups set to invalid value #{allowgroups}" do
+      let(:params) { { :sshd_config_allowgroups => allowgroups } }
+
+      let :facts do
+        {
+          :fqdn      => 'monkey.example.com',
+          :osfamily  => 'RedHat',
+          :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
+        }
+      end
+
+      it 'should fail' do
+        expect {
+          should contain_class('ssh')
+        }.to raise_error(Puppet::Error)
+      end
+    end
+  end
+
   [true,'invalid'].each do |macs|
     context "with sshd_config_macs set to invalid value #{macs}" do
       let(:params) { { :sshd_config_macs => macs } }

diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb
@@ -168,3 +168,12 @@ MACs <%= @sshd_config_macs.join(',') %>
 <% if @sshd_config_denyusers -%>
 DenyUsers <%= @sshd_config_denyusers.join(' ') %>
 <% end -%>
+<% if @sshd_config_denygroups -%>
+DenyGroups <%= @sshd_config_denygroups.join(' ') %>
+<% end -%>
+<% if @sshd_config_allowusers -%>
+AllowUsers <%= @sshd_config_allowusers.join(' ') %>
+<% end -%>
+<% if @sshd_config_allowgroups -%>
+AllowGroups <%= @sshd_config_allowgroups.join(' ') %>
+<% end -%>