Update ssh to 3216cd87ae97ee74f06edd0e4868cedbc90e86d9

3216cd87ae97ee74f06edd0e4868cedbc90e86d9 add summary, new release v2.8.1
10d5e39904498e64422450801779392085ca7baf new release v2.8.0
e7670e1640ed8569fce2461bcc1e804eb101383f Merge branch 'ccin2p3-feature/per_user_config'
b296ee7d6f6ce2d4dc5fd3939c13364b6eddaaa1 fix users_client_options if no hiera values found
e7a0ba390bbb3eb5a6f754ca513230a2f8dfaf53 Merge branch 'feature/per_user_config' of https://github.com/ccin2p3/puppet-ssh into ccin2p3-feature/per_user_config
0020bd68c6257db48092e131b233b1bf417bc3ba new release v2.7.0
adcce9563ad83d52b5979b08db696aa4af5488a0 cast port value to string before striping, fixes redhat-openstack#112
da7c691f0931dc61ca368d51445ffaddc6b2aba3 ignore Gemfile.lock and vendor dir
d1f515e6065a811286e9ebfce2afe07843858e3d Merge pull request redhat-openstack#122 from stjeanp/master
28d63dbde9c4d214d826ecb6f4644df820e3e6f8 Merge pull request redhat-openstack#115 from cisco87/patch-1
d316ce453117849eb10833e8c9d6a84284b14912 Merge pull request redhat-openstack#114 from tedivm/concat_bug
828e7cf6d032d573b63bac47e272aecae348446d Merge pull request redhat-openstack#113 from tedivm/client_server_bug
5526b90bcbb1862acf86677ad214f98c7bd62d4f Fixes to make puppet-lint happy
10192afbc62ef8de13ff0522daf6531f9ff91e01 New type for managing users ssh configuration file
34e3e6977c5661ea269ccd5b80b74a9f097c576b Fixed parameter alignment
cb626fd50fd039f51ffa4912182ad139f7203a93 It's needed since due for a bug in puppet hiera_hash might return an empty string instead of the default value.
6629299da7d788384a71ce30e5c57ac90c668a49 Deleted superfluous relationship
3e5821025f819822fd3df0b1f25c1589500959d0 Corrected dependency direction
ced449b51874d5d408c1ff59faddc42c3eedcbfb Made config class compatible with new concat module
fc6aa145e42fdaf801f22e422e43f40e8e151fb0 Corrected bug which applied server settings to the client

Change-Id: I6d7aa52b30763880ebe8dc20a3962081befede15

Author: xbezdick

Puppetfile

@@ -179,7 +179,7 @@ mod 'snmp',
   :git => 'https://github.com/razorsedge/puppet-snmp.git'
 
 mod 'ssh',
-  :commit => '5afa7d6cc30c129af66612928f3ab51f89ad7a26',
+  :commit => '3216cd87ae97ee74f06edd0e4868cedbc90e86d9',
   :git => 'https://github.com/saz/puppet-ssh.git'
 
 mod 'staging',

ssh/.gitignore

@@ -1,3 +1,5 @@
 pkg/
 *.swp
 .DS_Store
+Gemfile.lock
+vendor/

ssh/README.markdown

@@ -27,7 +27,7 @@ port 22 and 2222) should be passed as an array.
 
 This is working for both, client and server.
 
-### Both client and server
+### Both client, server and per user client configuration
 Host keys will be collected and distributed unless
  `storeconfigs_enabled` is `false`.
 
@@ -55,6 +55,15 @@ or
           'User' => 'ec2-user',
         },
       },
+      users_client_options => {
+        'bob' => {
+          options => {
+            'Host *.alice.fr' => {
+              'User' => 'alice',
+            },
+          },
+        },
+      },
     }
 ```
 
@@ -77,6 +86,13 @@ ssh::client_options:
         SendEnv: 'LANG LC_*'
         ForwardX11Trusted: 'yes'
         ServerAliveInterval: '10'
+
+ssh::users_client_options:
+    'bob':
+        'options':
+            'Host *.alice.fr':
+                'User': 'alice'
+                'PasswordAuthentication': 'no'
 ```
 
 ### Client only
@@ -105,6 +121,63 @@ or
     }
 ```
 
+### Per user client configuration
+
+**User's home is expected to be /home/bob**
+
+SSH configuration file will be `/home/bob/.ssh/config`.
+
+```puppet
+::ssh::client::config::user { 'bob':
+  ensure => present,
+  options => {
+    'HashKnownHosts' => 'yes'
+  }
+}
+```
+
+**User's home is passed to define type**
+
+SSH configuration file will be `/var/lib/bob/.ssh/config` and puppet will 
+manage directory `/var/lib/bob/.ssh`.
+
+```puppet
+::ssh::client::config::user { 'bob':
+  ensure => present,
+  user_home_dir => '/var/lib/bob',
+  options => {
+    'HashKnownHosts' => 'yes'
+  }
+}
+```
+
+**User's ssh directory should not be managed by the define type**
+
+SSH configuration file will be `/var/lib/bob/.ssh/config`.
+
+```puppet
+::ssh::client::config::user { 'bob':
+  ensure => present,
+  user_home_dir => '/var/lib/bob',
+  manage_user_ssh_dir => false,
+  options => {
+    'HashKnownHosts' => 'yes'
+  }
+}
+```
+
+**User's ssh config is specified with an absolute path**
+
+```puppet
+::ssh::client::config::user { 'bob':
+  ensure => present,
+  target => '/var/lib/bob/.ssh/ssh_config',
+  options => {
+    'HashKnownHosts' => 'yes'
+  }
+}
+```
+
 ### Server only
 Host keys will be collected for client distribution unless
  `storeconfigs_enabled` is `false`

ssh/manifests/client/config.pp

@@ -1,4 +1,7 @@
-class ssh::client::config {
+class ssh::client::config
+{
+  $options = $::ssh::client::merged_options
+
   file { $ssh::params::ssh_config:
     ensure  => present,
     owner   => '0',

ssh/manifests/client/config/user.pp

@@ -0,0 +1,56 @@
+#
+# Copyright (c) IN2P3 Computing Centre, IN2P3, CNRS
+# Contributor: Remi Ferrand <remi{dot}ferrand_at_cc(dot)in2p3.fr> (2015)
+#
+define ssh::client::config::user(
+  $ensure               = present,
+  $target               = undef,
+  $user_home_dir        = undef,
+  $manage_user_ssh_dir  = true,
+  $options              = {}
+)
+{
+  validate_re($ensure, '^(present|absent)$')
+  validate_hash($options)
+  validate_bool($manage_user_ssh_dir)
+
+  include ::ssh::params
+
+  $_files_ensure = $ensure ? { 'present' => 'file', 'absent' => 'absent' }
+
+  # If a specific target file was specified,
+  # it must have higher priority than any
+  # other parameter.
+  if ($target != undef) {
+    validate_absolute_path($target)
+    $_target = $target
+  }
+  else {
+    if ($user_home_dir == undef) {
+      $_user_home_dir = "/home/${name}"
+    }
+    else {
+      validate_absolute_path($user_home_dir)
+      $_user_home_dir = $user_home_dir
+    }
+
+    $user_ssh_dir = "${_user_home_dir}/.ssh"
+    $_target      = "${user_ssh_dir}/config"
+
+    if ($manage_user_ssh_dir == true) {
+      file { $user_ssh_dir:
+        ensure => directory,
+        owner  => $name,
+        mode   => $::ssh::params::user_ssh_directory_default_mode,
+        before => File[$_target]
+      }
+    }
+  }
+  
+  file { $_target:
+    ensure  => $_files_ensure,
+    owner   => $name,
+    mode    => $::ssh::params::user_ssh_config_default_mode,
+    content => template("${module_name}/ssh_config.erb")
+  }
+}

ssh/manifests/init.pp

@@ -1,33 +1,47 @@
 class ssh (
   $server_options       = {},
   $client_options       = {},
+  $users_client_options = {},
   $version              = 'present',
   $storeconfigs_enabled = true
 ) inherits ssh::params {
 
+  validate_hash($server_options)
+  validate_hash($client_options)
+  validate_hash($users_client_options)
+  validate_bool($storeconfigs_enabled)
+
   # Merge hashes from multiple layer of hierarchy in hiera
   $hiera_server_options = hiera_hash("${module_name}::server_options", undef)
   $hiera_client_options = hiera_hash("${module_name}::client_options", undef)
+  $hiera_users_client_options = hiera_hash("${module_name}::users_client_options", undef)
 
   $fin_server_options = $hiera_server_options ? {
     undef   => $server_options,
     default => $hiera_server_options,
   }
 
   $fin_client_options = $hiera_client_options ? {
-    undef   => $server_options,
+    undef   => $client_options,
     default => $hiera_client_options,
   }
 
+  $fin_users_client_options = $hiera_users_client_options ? {
+    undef   => $users_client_options,
+    default => $hiera_users_client_options,
+  }
+
   class { 'ssh::server':
+    ensure               => $version,
     storeconfigs_enabled => $storeconfigs_enabled,
     options              => $fin_server_options,
-    ensure               => $version,
   }
 
   class { 'ssh::client':
+    ensure               => $version,
     storeconfigs_enabled => $storeconfigs_enabled,
     options              => $fin_client_options,
-    ensure               => $version,
   }
+
+  create_resources('::ssh::client::config::user', $fin_users_client_options)
 }

ssh/manifests/params.pp

@@ -131,4 +131,7 @@
       'HashKnownHosts'       => 'yes',
     },
   }
+
+  $user_ssh_directory_default_mode = '0700'
+  $user_ssh_config_default_mode    = '0600'
 }

ssh/manifests/server.pp

@@ -9,6 +9,7 @@
 
   $fin_options = $hiera_options ? {
     undef   => $options,
+    ''      => $options,
     default => $hiera_options,
   }
 
@@ -18,8 +19,6 @@
   include ssh::server::config
   include ssh::server::service
 
-  File[$ssh::params::sshd_config] ~> Service[$ssh::params::service_name]
-
   anchor { 'ssh::server::start': }
   anchor { 'ssh::server::end': }
 

ssh/manifests/server/config.pp

@@ -1,11 +1,11 @@
 class ssh::server::config {
-  File[$ssh::params::sshd_config] ~> Service[$ssh::params::service_name]
 
   concat { $ssh::params::sshd_config:
     ensure => present,
     owner  => '0',
     group  => '0',
     mode   => '0600',
+    notify => Service[$ssh::params::service_name]
   }
 
   concat::fragment { 'global config':

ssh/manifests/server/match_block.pp

@@ -1,4 +1,4 @@
-define ssh::server::match_block ($type = 'user', $order = 50, $options,) {
+define ssh::server::match_block ($options, $type = 'user', $order = 50,) {
   concat::fragment { "match_block ${name}":
     target  => $ssh::params::sshd_config,
     content => template("${module_name}/sshd_match_block.erb"),