From 75a47136ac8063fe8c340ca005ef2ba84c2595e7 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 7 Sep 2019 17:05:24 +0200
Subject: [PATCH] Add puppet classes to store and collect ssh authkeys
 information

---
 modules/ssh/manifests/authorized_key_add.pp   | 41 +++++++++++++++++++
 .../ssh/manifests/authorized_key_collect.pp   | 16 ++++++++
 2 files changed, 57 insertions(+)
 create mode 100644 modules/ssh/manifests/authorized_key_add.pp
 create mode 100644 modules/ssh/manifests/authorized_key_collect.pp

diff --git a/modules/ssh/manifests/authorized_key_add.pp b/modules/ssh/manifests/authorized_key_add.pp
new file mode 100644
index 000000000..44cdc8025
--- /dev/null
+++ b/modules/ssh/manifests/authorized_key_add.pp
@@ -0,0 +1,41 @@
+# store ssh authorized_keys snippets that roles on different hosts can then
+# collect using ssh::authorized_key_collect
+
+define ssh::authorized_key_add(
+  String $target_user,
+  String $command,
+  String $key,
+  String $collect_tag,
+  Array[Stdlib::IP::Address] $from_hosts = $base::public_addresses,
+) {
+  $from = $from_hosts.join(',')
+
+  if (size(split($key, "\n")) > 1) {
+    fail('More than one line in key for ssh::authorized_key')
+  }
+  if (size(split($command, '"')) > 1) {
+    fail('command must not contain double quotes')
+  }
+  if (size(split($from, '"')) > 1) {
+    fail('from_hosts must not contain double quotes')
+  }
+
+  $from_space = $from_hosts.join(' ')
+
+  @@concat::fragment { "ssh::authorized_key::${name} ${target_user} ${from}":
+    tag     => "ssh::authorized_key::fragment::${collect_tag}::${target_user}",
+    target  => "/etc/ssh/userkeys/${target_user}",
+    order   => '200',
+    content => @("EOF"),
+               command="${command}",from="${from}",restrict ${key}
+               | EOF
+  }
+
+  @@ferm::rule { "ssh-${target_user}-${name}":
+    tag         => "ssh::authorized_key::ferm::${collect_tag}::${target_user}",
+    description => "allow ssh for ssh to ${target_user}",
+    domain      => '(ip ip6)',
+    chain       => 'ssh',
+    rule        => "saddr (${from_space}) ACCEPT",
+  }
+}
diff --git a/modules/ssh/manifests/authorized_key_collect.pp b/modules/ssh/manifests/authorized_key_collect.pp
new file mode 100644
index 000000000..3fccc2578
--- /dev/null
+++ b/modules/ssh/manifests/authorized_key_collect.pp
@@ -0,0 +1,16 @@
+# collect authorized_keys stored using authorized_key_add
+
+define ssh::authorized_key_collect(
+  String $target_user,
+  String $collect_tag,
+) {
+  concat { "/etc/ssh/userkeys/${target_user}": }
+  concat::fragment { "/etc/ssh/userkeys/${target_user}-header":
+    target  => "/etc/ssh/userkeys/${target_user}",
+    order   => '000',
+    content => "# This file is maintained with puppet\n",
+  }
+  Concat::Fragment <<| tag == "ssh::authorized_key::fragment::${collect_tag}::${target_user}" |>>
+
+  Ferm::Rule <<| tag == "ssh::authorized_key::ferm::${collect_tag}::${target_user}" |>>
+}
-- 
2.20.1