From bf35cd2d366ae9e4964101aeea526e2d23852dcf Mon Sep 17 00:00:00 2001 From: Steffen Zieger Date: Tue, 19 Apr 2022 17:04:36 +0200 Subject: [PATCH] fix parameter lookup --- data/Amazon.yaml | 19 ++-- data/Archlinux.yaml | 17 ++-- data/Darwin.yaml | 11 ++- data/Debian.yaml | 19 ++-- data/DragonFly.yaml | 13 ++- data/FreeBSD.yaml | 13 ++- data/Gentoo.yaml | 17 ++-- data/OpenBSD.yaml | 11 ++- data/{OpenSuse.yaml => OpenSuSE.yaml} | 2 +- data/RedHat-7.yaml | 2 +- data/RedHat.yaml | 19 ++-- data/SLES.yaml | 2 +- data/SmartOS.yaml | 11 ++- data/Solaris-10.yaml | 4 +- data/Solaris.yaml | 20 ++--- data/Suse.yaml | 17 ++-- data/common.yaml | 24 ++--- manifests/client.pp | 17 ++-- manifests/client/config.pp | 4 +- manifests/client/config/user.pp | 20 +++-- manifests/client/install.pp | 6 +- manifests/init.pp | 37 +++----- manifests/knownhosts.pp | 2 +- manifests/server.pp | 27 +++--- manifests/server/config.pp | 16 ++-- manifests/server/config/setting.pp | 4 +- manifests/server/host_key.pp | 16 ++-- manifests/server/install.pp | 7 +- manifests/server/instances.pp | 8 +- manifests/server/match_block.pp | 2 +- manifests/server/options.pp | 2 +- manifests/server/service.pp | 5 +- spec/classes/client_spec.rb | 37 ++++++++ spec/classes/init_spec.rb | 124 +++++++++++++++++++------- spec/classes/server_spec.rb | 87 ++++++++++++++++++ templates/sshd_config.erb | 11 ++- 36 files changed, 407 insertions(+), 246 deletions(-) rename data/{OpenSuse.yaml => OpenSuSE.yaml} (61%) create mode 100644 spec/classes/client_spec.rb create mode 100644 spec/classes/server_spec.rb diff --git a/data/Amazon.yaml b/data/Amazon.yaml index 3869c98c..a2042c3d 100644 --- a/data/Amazon.yaml +++ b/data/Amazon.yaml @@ -1,12 +1,11 @@ --- -ssh::server_package_name: 'openssh-server' -ssh::client_package_name: 'openssh-clients' -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_binary: '/usr/sbin/sshd' -ssh::sshd_environments_file: '/etc/sysconfig/sshd' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'sshd' +ssh::server::server_package_name: 'openssh-server' +ssh::client::client_package_name: 'openssh-clients' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_binary: '/usr/sbin/sshd' +ssh::server::sshd_environments_file: '/etc/sysconfig/sshd' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'sshd' ssh::sftp_server_path: '/usr/libexec/openssh/sftp-server' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 diff --git a/data/Archlinux.yaml b/data/Archlinux.yaml index 73b6ee1a..3255fb6d 100644 --- a/data/Archlinux.yaml +++ b/data/Archlinux.yaml @@ -1,11 +1,10 @@ --- -ssh::server_package_name: 'openssh' -ssh::client_package_name: 'openssh' -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_binary: '/usr/bin/sshd' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'sshd.service' +ssh::server::server_package_name: 'openssh' +ssh::client::client_package_name: 'openssh' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_binary: '/usr/bin/sshd' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'sshd.service' ssh::sftp_server_path: '/usr/lib/ssh/sftp-server' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 diff --git a/data/Darwin.yaml b/data/Darwin.yaml index f3cff65c..5a6a4610 100644 --- a/data/Darwin.yaml +++ b/data/Darwin.yaml @@ -1,8 +1,7 @@ --- -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'com.openssh.sshd' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'com.openssh.sshd' ssh::sftp_server_path: '/usr/libexec/sftp-server' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 diff --git a/data/Debian.yaml b/data/Debian.yaml index e07e99ce..e59e67ab 100644 --- a/data/Debian.yaml +++ b/data/Debian.yaml @@ -1,12 +1,11 @@ --- -ssh::server_package_name: 'openssh-server' -ssh::client_package_name: 'openssh-client' -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_binary: '/usr/sbin/sshd' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::sshd_environments_file: '/etc/default/ssh' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'ssh' +ssh::server::server_package_name: 'openssh-server' +ssh::client::client_package_name: 'openssh-client' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_binary: '/usr/sbin/sshd' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::server::sshd_environments_file: '/etc/default/ssh' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'ssh' ssh::sftp_server_path: '/usr/lib/openssh/sftp-server' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 diff --git a/data/DragonFly.yaml b/data/DragonFly.yaml index 1c1ae476..d7d94bc4 100644 --- a/data/DragonFly.yaml +++ b/data/DragonFly.yaml @@ -1,9 +1,8 @@ --- -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_binary: '/usr/local/sbin/sshd' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'sshd' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_binary: '/usr/local/sbin/sshd' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'sshd' ssh::sftp_server_path: '/usr/libexec/sftp-server' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 diff --git a/data/FreeBSD.yaml b/data/FreeBSD.yaml index 1c1ae476..d7d94bc4 100644 --- a/data/FreeBSD.yaml +++ b/data/FreeBSD.yaml @@ -1,9 +1,8 @@ --- -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_binary: '/usr/local/sbin/sshd' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'sshd' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_binary: '/usr/local/sbin/sshd' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'sshd' ssh::sftp_server_path: '/usr/libexec/sftp-server' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 diff --git a/data/Gentoo.yaml b/data/Gentoo.yaml index e0ae775b..37014c39 100644 --- a/data/Gentoo.yaml +++ b/data/Gentoo.yaml @@ -1,11 +1,10 @@ --- -ssh::server_package_name: 'openssh' -ssh::client_package_name: 'openssh' -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_binary: '/usr/sbin/sshd' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'sshd' +ssh::server::server_package_name: 'openssh' +ssh::client::client_package_name: 'openssh' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_binary: '/usr/sbin/sshd' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'sshd' ssh::sftp_server_path: '/usr/lib64/misc/sftp-server' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 diff --git a/data/OpenBSD.yaml b/data/OpenBSD.yaml index c4e6954d..14bcb6b0 100644 --- a/data/OpenBSD.yaml +++ b/data/OpenBSD.yaml @@ -1,11 +1,10 @@ --- -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'sshd' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'sshd' ssh::sftp_server_path: '/usr/libexec/sftp-server' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 ssh::server_options: ChallengeResponseAuthentication: 'no' diff --git a/data/OpenSuse.yaml b/data/OpenSuSE.yaml similarity index 61% rename from data/OpenSuse.yaml rename to data/OpenSuSE.yaml index 054cfc3f..41400cef 100644 --- a/data/OpenSuse.yaml +++ b/data/OpenSuSE.yaml @@ -1,3 +1,3 @@ --- -ssh::service_name: 'sshd' +ssh::server::service_name: 'sshd' ssh::sftp_server_path: '/usr/lib/ssh/sftp-server' diff --git a/data/RedHat-7.yaml b/data/RedHat-7.yaml index 845f62a3..9ee7359d 100644 --- a/data/RedHat-7.yaml +++ b/data/RedHat-7.yaml @@ -1,2 +1,2 @@ --- -ssh::host_priv_key_group: 'ssh_keys' +ssh::server::host_priv_key_group: 'ssh_keys' diff --git a/data/RedHat.yaml b/data/RedHat.yaml index e93a7e92..81138ce0 100644 --- a/data/RedHat.yaml +++ b/data/RedHat.yaml @@ -1,12 +1,11 @@ --- -ssh::server_package_name: 'openssh-server' -ssh::client_package_name: 'openssh-clients' -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_binary: '/usr/sbin/sshd' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::sshd_environments_file: '/etc/sysconfig/sshd' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'sshd' +ssh::server::server_package_name: 'openssh-server' +ssh::client::client_package_name: 'openssh-clients' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_binary: '/usr/sbin/sshd' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::server::sshd_environments_file: '/etc/sysconfig/sshd' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'sshd' ssh::sftp_server_path: '/usr/libexec/openssh/sftp-server' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 diff --git a/data/SLES.yaml b/data/SLES.yaml index 054cfc3f..41400cef 100644 --- a/data/SLES.yaml +++ b/data/SLES.yaml @@ -1,3 +1,3 @@ --- -ssh::service_name: 'sshd' +ssh::server::service_name: 'sshd' ssh::sftp_server_path: '/usr/lib/ssh/sftp-server' diff --git a/data/SmartOS.yaml b/data/SmartOS.yaml index 91ddccdd..d9625d4c 100644 --- a/data/SmartOS.yaml +++ b/data/SmartOS.yaml @@ -1,8 +1,7 @@ --- -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'svc:/network/ssh:default' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'svc:/network/ssh:default' ssh::sftp_server_path: 'internal-sftp' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 diff --git a/data/Solaris-10.yaml b/data/Solaris-10.yaml index 35a59395..29b5d713 100644 --- a/data/Solaris-10.yaml +++ b/data/Solaris-10.yaml @@ -1,3 +1,3 @@ --- -ssh::server_package_name: 'SUNWsshdu' -ssh::client_package_name: 'SUNWsshu' +ssh::server::server_package_name: 'SUNWsshdu' +ssh::client::client_package_name: 'SUNWsshu' diff --git a/data/Solaris.yaml b/data/Solaris.yaml index 89fe5370..2ba518ec 100644 --- a/data/Solaris.yaml +++ b/data/Solaris.yaml @@ -1,16 +1,6 @@ --- -ssh::server_package_name: '/service/network/ssh' -ssh::client_package_name: '/network/ssh' -ssh::sshd_binary: '/lib/svc/method/sshd' -ssh::ssh::service_name: 'svc:/network/ssh:default' - -ssh:sshd_default_options: - ChallengeResponseAuthentication: 'no' - X11Forwarding: 'yes' - PrintMotd: 'no' - Subsystem: "sftp %{lookup('ssh::sftp_server_path')}" - HostKey: - - "%{lookup('ssh::sshd_dir')}/ssh_host_rsa_key" - - "%{lookup('ssh::sshd_dir')}/ssh_host_dsa_key" - -ssh::client_options: {} +ssh::server::server_package_name: '/service/network/ssh' +ssh::client::client_package_name: '/network/ssh' +ssh::server::sshd_binary: '/lib/svc/method/sshd' +ssh::server::service_name: 'svc:/network/ssh:default' +ssh::sftp_server_path: 'internal-sftp' diff --git a/data/Suse.yaml b/data/Suse.yaml index bdd1fd13..30639fa7 100644 --- a/data/Suse.yaml +++ b/data/Suse.yaml @@ -1,10 +1,9 @@ --- -ssh::server_package_name: 'openssh' -ssh::client_package_name: 'openssh' -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_binary: '/usr/sbin/sshd' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::sshd_environments_file: '/etc/sysconfig/ssh' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::host_priv_key_group: 0 +ssh::server::server_package_name: 'openssh' +ssh::client::client_package_name: 'openssh' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_binary: '/usr/sbin/sshd' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::server::sshd_environments_file: '/etc/sysconfig/ssh' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::host_priv_key_group: 0 diff --git a/data/common.yaml b/data/common.yaml index dcc69a05..ceb3f3e5 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -8,21 +8,23 @@ lookup_options: merge: deep ssh::users_client_options: merge: deep + ssh::server::options: + merge: deep + ssh::client::options: + merge: deep -ssh::sshd_dir: '/etc/ssh' -ssh::sshd_config: '/etc/ssh/sshd_config' -ssh::ssh_config: '/etc/ssh/ssh_config' -ssh::ssh_known_hosts: '/etc/ssh/ssh_known_hosts' -ssh::service_name: 'svc:/network/ssh:default' +ssh::server::sshd_dir: '/etc/ssh' +ssh::server::sshd_config: '/etc/ssh/sshd_config' +ssh::client::ssh_config: '/etc/ssh/ssh_config' +ssh::server::service_name: 'svc:/network/ssh:default' ssh::sftp_server_path: 'internal-sftp' -ssh::host_priv_key_group: 0 +ssh::server::host_priv_key_group: 0 ssh::validate_sshd_file : false -ssh::user_ssh_directory_default_mode: '0700' -ssh::user_ssh_config_default_mode : '0600' ssh::collect_enabled : true # Collect sshkey resources -ssh::issue_net : '/etc/issue.net' +ssh::server::issue_net : '/etc/issue.net' +ssh::knownhosts::collect_enabled : true -ssh::server_options: +ssh::server::options: ChallengeResponseAuthentication: 'no' X11Forwarding: 'yes' PrintMotd: 'no' @@ -30,7 +32,7 @@ ssh::server_options: Subsystem: "sftp %{lookup('ssh::sftp_server_path')}" UsePAM: 'yes' -ssh::client_options: +ssh::client::options: 'Host *': SendEnv: 'LANG LC_*' HashKnownHosts: 'yes' diff --git a/manifests/client.pp b/manifests/client.pp index f8f873bb..78c629c1 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,4 +1,3 @@ -# @api private # @summary # This class add ssh client management # @@ -22,16 +21,16 @@ # Remove options (with augeas style) # class ssh::client ( - String $ensure = present, - Boolean $storeconfigs_enabled = true, - Hash $options = {}, - Boolean $use_augeas = false, - Array $options_absent = [], + Stdlib::Absolutepath $ssh_config, + Optional[String] $client_package_name = undef, + String $ensure = present, + Boolean $storeconfigs_enabled = true, + Hash $options = {}, + Boolean $use_augeas = false, + Array $options_absent = [], ) { - assert_private() - if $use_augeas { - $merged_options = sshclient_options_to_augeas_ssh_config($options, $options_absent, { 'target' => $ssh::ssh_config }) + $merged_options = sshclient_options_to_augeas_ssh_config($options, $options_absent, { 'target' => $ssh_config }) } else { $merged_options = $options } diff --git a/manifests/client/config.pp b/manifests/client/config.pp index 83be373d..09ae4c4c 100644 --- a/manifests/client/config.pp +++ b/manifests/client/config.pp @@ -1,11 +1,13 @@ class ssh::client::config { + assert_private() + $options = $ssh::client::merged_options $use_augeas = $ssh::client::use_augeas if $use_augeas { create_resources('ssh_config', $options) } else { - file { $ssh::ssh_config: + file { $ssh::client::ssh_config: ensure => file, owner => '0', group => '0', diff --git a/manifests/client/config/user.pp b/manifests/client/config/user.pp index c53ed8d7..2200919e 100644 --- a/manifests/client/config/user.pp +++ b/manifests/client/config/user.pp @@ -4,14 +4,16 @@ # Contributor: Tim Meusel (2017) # define ssh::client::config::user ( - Enum['present', 'absent'] $ensure = present, - Optional[Stdlib::Absolutepath] $target = undef, - Optional[Stdlib::Absolutepath] $user_home_dir = undef, - Boolean $manage_user_ssh_dir = true, - Hash $options = {}, - String[1] $user = $name, + Enum['present', 'absent'] $ensure = present, + Optional[Stdlib::Absolutepath] $target = undef, + Optional[Stdlib::Absolutepath] $user_home_dir = undef, + Boolean $manage_user_ssh_dir = true, + Hash $options = {}, + String[1] $user = $name, + String[1] $ssh_directory_default_mode = '0700', + String[1] $ssh_config_default_mode = '0600', ) { - include ssh + include ssh::client # If a specific target file was specified, # it must have higher priority than any @@ -33,7 +35,7 @@ file { $user_ssh_dir: ensure => directory, owner => $user, - mode => $ssh::user_ssh_directory_default_mode, + mode => $ssh_directory_default_mode, before => Concat_file[$_target], } } @@ -44,7 +46,7 @@ concat_file { $_target: ensure => $ensure, owner => $user, - mode => $ssh::user_ssh_config_default_mode, + mode => $ssh_config_default_mode, tag => $name, } } diff --git a/manifests/client/install.pp b/manifests/client/install.pp index d9f83dff..a8ea495a 100644 --- a/manifests/client/install.pp +++ b/manifests/client/install.pp @@ -1,7 +1,9 @@ class ssh::client::install { - if $ssh::client_package_name { + assert_private() + + if $ssh::client::client_package_name { ensure_packages([ - $ssh::client_package_name, + $ssh::client::client_package_name, ], { 'ensure' => $ssh::client::ensure, }) diff --git a/manifests/init.pp b/manifests/init.pp index 27e2df41..7ff88e15 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -148,32 +148,19 @@ # Use issue_net header # class ssh ( - Stdlib::Absolutepath $sshd_dir, - Stdlib::Absolutepath $sshd_binary, - Boolean $validate_sshd_file, - Stdlib::Absolutepath $sshd_config, - Stdlib::Absolutepath $ssh_config, - Stdlib::Filemode $user_ssh_directory_default_mode, - Stdlib::Filemode $user_ssh_config_default_mode, - Integer $host_priv_key_group, - String $service_name, - Boolean $collect_enabled, - Optional[Stdlib::Absolutepath] $sshd_environments_file = undef, - Optional[String] $server_package_name = undef, - Optional[String] $client_package_name = undef, + Variant[Optional,Hash] $server_options = undef, + Hash $server_match_block = {}, + Variant[Optional,Hash] $client_options = undef, + Hash $users_client_options = {}, + String $version = 'present', + Boolean $storeconfigs_enabled = true, + Boolean $validate_sshd_file = false, + Boolean $use_augeas = false, + Variant[Optional,Array] $server_options_absent = [], + Variant[Optional,Array] $client_options_absent = [], + Boolean $use_issue_net = false, + Boolean $purge_unmanaged_sshkeys = true, Hash[String[1],Hash[String[1],NotUndef]] $server_instances = {}, - Hash $server_options = {}, - Hash $server_match_block = {}, - Hash $client_options = {}, - Hash $users_client_options = {}, - String $version = 'present', - Boolean $storeconfigs_enabled = true, - Boolean $use_augeas = false, - Array $server_options_absent = [], - Array $client_options_absent = [], - Boolean $use_issue_net = false, - Boolean $purge_unmanaged_sshkeys = true, - ) { class { 'ssh::server': ensure => $version, diff --git a/manifests/knownhosts.pp b/manifests/knownhosts.pp index eed301df..2b132b43 100644 --- a/manifests/knownhosts.pp +++ b/manifests/knownhosts.pp @@ -8,7 +8,7 @@ # Define the hostkeys group storage # class ssh::knownhosts ( - Boolean $collect_enabled = $ssh::collect_enabled, + Boolean $collect_enabled = $ssh::knownhosts::collect_enabled, Optional[String] $storeconfigs_group = undef, ) { if ($collect_enabled) { diff --git a/manifests/server.pp b/manifests/server.pp index f17e82a8..161026c2 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -34,19 +34,24 @@ # Add issue_net banner # class ssh::server ( - String $ensure = present, - Boolean $storeconfigs_enabled = true, - Hash $options = {}, - Boolean $validate_sshd_file = false, - Boolean $use_augeas = false, - Array $options_absent = [], - Hash $match_block = {}, - Boolean $use_issue_net = false + String $service_name, + Stdlib::Absolutepath $sshd_config, + Stdlib::Absolutepath $sshd_dir, + Stdlib::Absolutepath $sshd_binary, + Integer $host_priv_key_group, + String $ensure = present, + Boolean $storeconfigs_enabled = true, + Hash $options = {}, + Boolean $validate_sshd_file = false, + Boolean $use_augeas = false, + Array $options_absent = [], + Hash $match_block = {}, + Boolean $use_issue_net = false, + Optional[Stdlib::Absolutepath] $sshd_environments_file = undef, + Optional[String] $server_package_name = undef, ) { - assert_private() - if $use_augeas { - $merged_options = sshserver_options_to_augeas_sshd_config($options, $options_absent, { 'target' => $ssh::sshd_config }) + $merged_options = sshserver_options_to_augeas_sshd_config($options, $options_absent, { 'target' => $ssh::server::sshd_config }) } else { $merged_options = $options } diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 600de0af..cc632eff 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -4,6 +4,8 @@ # @api private # class ssh::server::config { + assert_private() + $options = $ssh::server::merged_options case $ssh::server::validate_sshd_file { @@ -18,35 +20,35 @@ if $ssh::server::use_augeas { create_resources('sshd_config', $options) } else { - concat { $ssh::sshd_config: + concat { $ssh::server::sshd_config: ensure => present, owner => 0, group => 0, mode => '0600', validate_cmd => $sshd_validate_cmd, - notify => Service[$ssh::service_name], + notify => Service[$ssh::server::service_name], } concat::fragment { 'global config': - target => $ssh::sshd_config, + target => $ssh::server::sshd_config, content => template("${module_name}/sshd_config.erb"), order => '00', } } if $ssh::server::use_issue_net { - file { $ssh::issue_net: + file { $ssh::server::issue_net: ensure => file, owner => 0, group => 0, mode => '0644', content => template("${module_name}/issue.net.erb"), - notify => Service[$ssh::service_name], + notify => Service[$ssh::server::service_name], } concat::fragment { 'banner file': - target => $ssh::sshd_config, - content => "Banner ${ssh::issue_net}\n", + target => $ssh::server::sshd_config, + content => "Banner ${ssh::server::issue_net}\n", order => '01', } } diff --git a/manifests/server/config/setting.pp b/manifests/server/config/setting.pp index 4a3d8455..915cc99b 100644 --- a/manifests/server/config/setting.pp +++ b/manifests/server/config/setting.pp @@ -8,7 +8,7 @@ $value, $order = '10' ) { - include ssh + include ssh::server if is_bool($value) { $real_value = $value ? { @@ -25,7 +25,7 @@ } concat::fragment { "ssh_setting_${name}_${key}": - target => $ssh::sshd_config, + target => $ssh::server::sshd_config, content => "\n# added by Ssh::Server::Config::Setting[${name}]\n${key} ${real_value}\n", order => $order, } diff --git a/manifests/server/host_key.pp b/manifests/server/host_key.pp index 40b886c4..017b1e2b 100644 --- a/manifests/server/host_key.pp +++ b/manifests/server/host_key.pp @@ -88,7 +88,7 @@ owner => 0, group => 0, mode => '0644', - path => "${ssh::sshd_dir}/${name}.pub", + path => "${ssh::server::sshd_dir}/${name}.pub", source => $manage_pub_key_source, content => $manage_pub_key_content, notify => Class['ssh::server::service'], @@ -97,9 +97,9 @@ file { "${name}_priv": ensure => $ensure, owner => 0, - group => $ssh::host_priv_key_group, + group => $ssh::server::host_priv_key_group, mode => '0600', - path => "${ssh::sshd_dir}/${name}", + path => "${ssh::server::sshd_dir}/${name}", source => $manage_priv_key_source, content => $manage_priv_key_content, show_diff => false, @@ -111,16 +111,16 @@ owner => 0, group => 0, mode => '0644', - path => "${ssh::sshd_dir}/${name}.pub", + path => "${ssh::server::sshd_dir}/${name}.pub", notify => Class['ssh::server::service'], } file { "${name}_priv": ensure => $ensure, owner => 0, - group => $ssh::host_priv_key_group, + group => $ssh::server::host_priv_key_group, mode => '0600', - path => "${ssh::sshd_dir}/${name}", + path => "${ssh::server::sshd_dir}/${name}", show_diff => false, notify => Class['ssh::server::service'], } @@ -133,7 +133,7 @@ owner => 0, group => 0, mode => '0644', - path => "${ssh::sshd_dir}/${name}-cert.pub", + path => "${ssh::server::sshd_dir}/${name}-cert.pub", source => $manage_cert_source, content => $manage_cert_content, notify => Class['ssh::server::service'], @@ -144,7 +144,7 @@ owner => 0, group => 0, mode => '0644', - path => "${ssh::sshd_dir}/${name}-cert.pub", + path => "${ssh::server::sshd_dir}/${name}-cert.pub", notify => Class['ssh::server::service'], } } diff --git a/manifests/server/install.pp b/manifests/server/install.pp index eed5802e..f32c3657 100644 --- a/manifests/server/install.pp +++ b/manifests/server/install.pp @@ -4,10 +4,11 @@ # @api private # class ssh::server::install { - include ssh - if $ssh::server_package_name { + assert_private() + + if $ssh::server::server_package_name { ensure_packages ([ - $ssh::server_package_name, + $ssh::server::server_package_name, ], { 'ensure' => $ssh::server::ensure, }) diff --git a/manifests/server/instances.pp b/manifests/server/instances.pp index cb0b1f2f..93a051c7 100644 --- a/manifests/server/instances.pp +++ b/manifests/server/instances.pp @@ -12,11 +12,11 @@ Stdlib::Ensure::Service $service_ensure = 'running', Boolean $service_enable = true, Boolean $validate_config_file = false, - Stdlib::Absolutepath $sshd_instance_config_file = "${ssh::sshd_dir}/sshd_config.${title}", - Stdlib::Absolutepath $sshd_binary = $ssh::sshd_binary, - Optional[Stdlib::Absolutepath] $sshd_environments_file = $ssh::sshd_environments_file, + Stdlib::Absolutepath $sshd_instance_config_file = "${ssh::server::sshd_dir}/sshd_config.${title}", + Stdlib::Absolutepath $sshd_binary = $ssh::server::sshd_binary, + Optional[Stdlib::Absolutepath] $sshd_environments_file = $ssh::server::sshd_environments_file, ) { - include ssh + include ssh::server $sshd_instance_config = assert_type(Hash, pick($options['sshd_config'], {})) $sshd_instance_matchblocks = assert_type(Hash, pick($options['match_blocks'], {})) diff --git a/manifests/server/match_block.pp b/manifests/server/match_block.pp index a883527c..04a20352 100644 --- a/manifests/server/match_block.pp +++ b/manifests/server/match_block.pp @@ -5,7 +5,7 @@ Hash $options = {}, String $type = 'user', Integer $order = 50, - Stdlib::Absolutepath $target = $ssh::params::sshd_config, + Stdlib::Absolutepath $target = $ssh::server::sshd_config, ) { if $ssh::server::use_augeas { fail('ssh::server::match_block() define not supported with use_augeas = true') diff --git a/manifests/server/options.pp b/manifests/server/options.pp index d4e0e548..615fefe8 100644 --- a/manifests/server/options.pp +++ b/manifests/server/options.pp @@ -8,7 +8,7 @@ Integer $order = 50 ) { concat::fragment { "options ${name}": - target => $ssh::sshd_config, + target => $ssh::server::sshd_config, content => template("${module_name}/options.erb"), order => 100+$order, } diff --git a/manifests/server/service.pp b/manifests/server/service.pp index a668cc6f..1e1579d4 100644 --- a/manifests/server/service.pp +++ b/manifests/server/service.pp @@ -11,10 +11,9 @@ String $ensure = 'running', Boolean $enable = true ) { - include ssh - include ssh::server + assert_private() - service { $ssh::service_name: + service { $ssh::server::service_name: ensure => $ssh::server::service::ensure, hasstatus => true, hasrestart => true, diff --git a/spec/classes/client_spec.rb b/spec/classes/client_spec.rb new file mode 100644 index 00000000..a5a535d5 --- /dev/null +++ b/spec/classes/client_spec.rb @@ -0,0 +1,37 @@ +require 'spec_helper' + +describe 'ssh::client', type: 'class' do + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } + + context 'with no other parameters' do + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('ssh::knownhosts') } + it { is_expected.to contain_class('ssh::client::config') } + it { is_expected.to contain_class('ssh::client::install') } + it { is_expected.to contain_file('/etc/ssh/ssh_config').with_content("# File managed by Puppet\n\nHost *\n HashKnownHosts yes\n SendEnv LANG LC_*\n") } + end + + context 'with a different ssh_config location' do + let :params do + { + ssh_config: '/etc/ssh/another_ssh_config' + } + end + + it { is_expected.to contain_file('/etc/ssh/another_ssh_config').with_content("# File managed by Puppet\n\nHost *\n HashKnownHosts yes\n SendEnv LANG LC_*\n") } + end + + context 'with storeconfigs_enabled set to false' do + let :params do + { + storeconfigs_enabled: false + } + end + + it { is_expected.not_to contain_class('ssh::knownhosts') } + end + end + end +end diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index e4734645..11fb64c6 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -2,47 +2,78 @@ describe 'ssh', type: 'class' do on_supported_os.each do |os, os_facts| - let(:facts) { os_facts } - context "on #{os}" do - context 'Server with a seperate sftp_server_init instance on Port 8022' do - let :params do - { - 'server_instances' => { - 'sftp_server_init' => { - 'ensure' => 'present', - 'options' => { - 'sshd_config' => { - 'Port' => 8022, - 'Protocol' => 2, - 'AddressFamily' => 'any', - 'HostKey' => '/etc/ssh/ssh_host_rsa_key', - 'SyslogFacility' => 'AUTH', - 'LogLevel' => 'INFO', - 'PermitRootLogin' => 'no', + let(:facts) { os_facts } + + case os_facts[:os]['family'] + when 'Debian' + sftp_server_path = '/usr/lib/openssh/sftp-server' + when 'OpenSuSE', 'Archlinux' + sftp_server_path = '/usr/lib/ssh/sftp-server' + when 'Amazon', 'RedHat' + sftp_server_path = '/usr/libexec/openssh/sftp-server' + when 'Gentoo' + sftp_server_path = '/usr/lib64/misc/sftp-server' + when 'SmartOS', 'Solaris' + sftp_server_path = 'internal-sftp' + when 'Suse' + case os_facts[:os]['name'] + when 'OpenSuSE' + sftp_server_path = '/usr/lib/ssh/sftp-server' + when 'SLES' + case os_facts[:os]['release']['major'] + when 10, 11 + sftp_server_path = '/usr/lib64/ssh/sftp-server' + else + sftp_server_path = '/usr/lib/ssh/sftp-server' + end + end + else + sftp_server_path = '/usr/libexec/sftp-server' + end + + if os_facts[:kernel] == 'Linux' + context 'Server with a separate sftp_server_init instance on Port 8022' do + let :params do + { + 'server_instances' => { + 'sftp_server_init' => { + 'ensure' => 'present', + 'options' => { + 'sshd_config' => { + 'Port' => 8022, + 'Protocol' => 2, + 'AddressFamily' => 'any', + 'HostKey' => '/etc/ssh/ssh_host_rsa_key', + 'SyslogFacility' => 'AUTH', + 'LogLevel' => 'INFO', + 'PermitRootLogin' => 'no', + }, + 'sshd_service_options' => '', + 'match_blocks' => {}, }, - 'sshd_service_options' => '', - 'match_blocks' => {}, }, }, - }, - } - end + } + end - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_concat('/etc/ssh/sshd_config.sftp_server_init') } - it { is_expected.to contain_concat__fragment('sshd instance sftp_server_init config') } - it { is_expected.to contain_systemd__unit_file('sftp_server_init.service') } - it { is_expected.to contain_service('sftp_server_init.service') } - it { is_expected.to contain_ssh__server__instances('sftp_server_init') } - it { is_expected.to contain_class('ssh::client') } - it { is_expected.to contain_class('ssh::server') } - it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd(nil) } - it { is_expected.to contain_resources('sshkey').with_purge(true) } + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat('/etc/ssh/sshd_config.sftp_server_init') } + it { is_expected.to contain_concat__fragment('sshd instance sftp_server_init config').with_content("# File is managed by Puppet\nAddressFamily any\nPort 8022\n\nHostKey /etc/ssh/ssh_host_rsa_key\nLogLevel INFO\nPermitRootLogin no\nProtocol 2\nSyslogFacility AUTH\n") } + it { is_expected.to contain_systemd__unit_file('sftp_server_init.service') } + it { is_expected.to contain_service('sftp_server_init.service') } + it { is_expected.to contain_ssh__server__instances('sftp_server_init') } + it { is_expected.to contain_class('ssh::client') } + it { is_expected.to contain_class('ssh::server') } + it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd(nil) } + it { is_expected.to contain_resources('sshkey').with_purge(true) } + end end + context 'with all defaults' do it { is_expected.to compile.with_all_deps } end + context 'with the validate_sshd_file setting' do let :params do { @@ -50,9 +81,9 @@ } end - it { is_expected.to contain_class('ssh::client') } it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd('/usr/sbin/sshd -tf %') } end + context 'without resource purging' do let :params do { @@ -62,11 +93,38 @@ it { is_expected.not_to contain_resources('sshkey') } end + context 'with no other parameters' do it { is_expected.to contain_class('ssh::client') } it { is_expected.to contain_class('ssh::server') } it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd(nil) } it { is_expected.to contain_resources('sshkey').with_purge(true) } + it { is_expected.to contain_concat__fragment('global config').with_content("# File is managed by Puppet\n\nAcceptEnv LANG LC_*\nChallengeResponseAuthentication no\nPrintMotd no\nSubsystem sftp #{sftp_server_path}\nUsePAM yes\nX11Forwarding yes\n") } + it { is_expected.to contain_file('/etc/ssh/ssh_config').with_content("# File managed by Puppet\n\nHost *\n HashKnownHosts yes\n SendEnv LANG LC_*\n") } + end + + context 'with custom server options' do + let :params do + { + server_options: { + X11Forwarding: 'no', + UsePAM: 'no', + SomeOtherKey: 'someValue' + } + } + end + + it { is_expected.to contain_concat__fragment('global config').with_content("# File is managed by Puppet\n\nSomeOtherKey someValue\nUsePAM no\nX11Forwarding no\n") } + end + + context 'with storeconfigs_enabled set to false' do + let :params do + { + storeconfigs_enabled: false + } + end + + it { is_expected.not_to contain_class('ssh::knownhosts') } end end end diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb new file mode 100644 index 00000000..0e640aba --- /dev/null +++ b/spec/classes/server_spec.rb @@ -0,0 +1,87 @@ +require 'spec_helper' + +describe 'ssh::server', type: 'class' do + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } + + case os_facts[:os]['family'] + when 'Debian' + svc_name = 'ssh' + when 'Archlinux' + svc_name = 'sshd.service' + when 'Darwin' + svc_name = 'com.openssh.sshd' + when 'Solaris', 'SmartOS' + svc_name = 'svc:/network/ssh:default' + else + svc_name = 'sshd' + end + + context 'with no other parameters' do + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('ssh::knownhosts') } + it { is_expected.to contain_class('ssh::server::config') } + it { is_expected.to contain_class('ssh::server::install') } + it { is_expected.to contain_class('ssh::server::service') } + it { is_expected.to contain_service(svc_name) } + it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd(nil) } + it { is_expected.to contain_concat__fragment('global config') } + end + + context 'with custom options' do + let :params do + { + options: { + X11Forwarding: 'no', + UsePAM: 'no', + SomeOtherKey: 'someValue' + } + } + end + + it { is_expected.to contain_concat__fragment('global config').with_content("# File is managed by Puppet\n\nSomeOtherKey someValue\nUsePAM no\nX11Forwarding no\n") } + end + + context 'with a custom service_name' do + let :params do + { + service_name: 'custom_sshd_name' + } + end + + it { is_expected.to contain_service('custom_sshd_name') } + end + + context 'with the validate_sshd_file setting' do + let :params do + { + validate_sshd_file: true + } + end + + it { is_expected.to contain_concat('/etc/ssh/sshd_config').with_validate_cmd('/usr/sbin/sshd -tf %') } + end + + context 'with a different sshd_config location' do + let :params do + { + sshd_config: '/etc/ssh/another_sshd_config' + } + end + + it { is_expected.to contain_concat('/etc/ssh/another_sshd_config') } + end + + context 'with storeconfigs_enabled set to false' do + let :params do + { + storeconfigs_enabled: false + } + end + + it { is_expected.not_to contain_class('ssh::knownhosts') } + end + end + end +end diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb index 374441fa..07af0880 100644 --- a/templates/sshd_config.erb +++ b/templates/sshd_config.erb @@ -11,11 +11,10 @@ end end -%> -<%- options = scope.lookupvar('ssh::server::merged_options') -%> -<%- if addressfamily = options.delete('AddressFamily') -%> +<%- if addressfamily = @options.delete('AddressFamily') -%> AddressFamily <%= addressfamily %> <%- end -%> -<%- if port = options.delete('Port') -%> +<%- if port = @options.delete('Port') -%> <%- if port.is_a?(Array) -%> <%- port.reject{ |x| x.to_s.strip.empty? }.each do |p| -%> Port <%= p %> @@ -24,7 +23,7 @@ Port <%= p %> Port <%= port %> <%- end -%> <%- end -%> -<%- if listen = options.delete('ListenAddress') -%> +<%- if listen = @options.delete('ListenAddress') -%> <%- if listen.is_a?(Array) -%> <%- listen.reject{ |x| x.strip.empty? }.each do |l| -%> ListenAddress <%= l %> @@ -34,8 +33,8 @@ ListenAddress <%= listen %> <%- end -%> <%- end -%> -<%- options.keys.sort_by{ |sk| (sk.to_s.downcase.include? "match") ? 'zzz' + sk.to_s : sk.to_s }.each do |k| -%> -<%- v = options[k] -%> +<%- @options.keys.sort_by{ |sk| (sk.to_s.downcase.include? "match") ? 'zzz' + sk.to_s : sk.to_s }.each do |k| -%> +<%- v = @options[k] -%> <%- if v.is_a?(Hash) -%> <%= k %> <%- v.keys.sort.each do |key| -%>