From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 7 Sep 2019 15:05:24 +0000 (+0200)
Subject: Add puppet classes to store and collect ssh authkeys information
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=75a47136ac8063fe8c340ca005ef2ba84c2595e7;p=mirror%2Fdsa-puppet.git

Add puppet classes to store and collect ssh authkeys information
---

diff --git a/modules/ssh/manifests/authorized_key_add.pp b/modules/ssh/manifests/authorized_key_add.pp
new file mode 100644
index 000000000..44cdc8025
--- /dev/null
+++ b/modules/ssh/manifests/authorized_key_add.pp
@@ -0,0 +1,41 @@
+# store ssh authorized_keys snippets that roles on different hosts can then
+# collect using ssh::authorized_key_collect
+
+define ssh::authorized_key_add(
+  String $target_user,
+  String $command,
+  String $key,
+  String $collect_tag,
+  Array[Stdlib::IP::Address] $from_hosts = $base::public_addresses,
+) {
+  $from = $from_hosts.join(',')
+
+  if (size(split($key, "\n")) > 1) {
+    fail('More than one line in key for ssh::authorized_key')
+  }
+  if (size(split($command, '"')) > 1) {
+    fail('command must not contain double quotes')
+  }
+  if (size(split($from, '"')) > 1) {
+    fail('from_hosts must not contain double quotes')
+  }
+
+  $from_space = $from_hosts.join(' ')
+
+  @@concat::fragment { "ssh::authorized_key::${name} ${target_user} ${from}":
+    tag     => "ssh::authorized_key::fragment::${collect_tag}::${target_user}",
+    target  => "/etc/ssh/userkeys/${target_user}",
+    order   => '200',
+    content => @("EOF"),
+               command="${command}",from="${from}",restrict ${key}
+               | EOF
+  }
+
+  @@ferm::rule { "ssh-${target_user}-${name}":
+    tag         => "ssh::authorized_key::ferm::${collect_tag}::${target_user}",
+    description => "allow ssh for ssh to ${target_user}",
+    domain      => '(ip ip6)',
+    chain       => 'ssh',
+    rule        => "saddr (${from_space}) ACCEPT",
+  }
+}
diff --git a/modules/ssh/manifests/authorized_key_collect.pp b/modules/ssh/manifests/authorized_key_collect.pp
new file mode 100644
index 000000000..3fccc2578
--- /dev/null
+++ b/modules/ssh/manifests/authorized_key_collect.pp
@@ -0,0 +1,16 @@
+# collect authorized_keys stored using authorized_key_add
+
+define ssh::authorized_key_collect(
+  String $target_user,
+  String $collect_tag,
+) {
+  concat { "/etc/ssh/userkeys/${target_user}": }
+  concat::fragment { "/etc/ssh/userkeys/${target_user}-header":
+    target  => "/etc/ssh/userkeys/${target_user}",
+    order   => '000',
+    content => "# This file is maintained with puppet\n",
+  }
+  Concat::Fragment <<| tag == "ssh::authorized_key::fragment::${collect_tag}::${target_user}" |>>
+
+  Ferm::Rule <<| tag == "ssh::authorized_key::ferm::${collect_tag}::${target_user}" |>>
+}