From 521f6c633ac0c4c18fb342288691aa8bdec6f2e4 Mon Sep 17 00:00:00 2001 From: Ossi Salmi Date: Wed, 12 Nov 2014 18:37:12 +0200 Subject: [PATCH] ssh: Backport ssh::allow from parameterize --- .../parser/functions/augeas_set_children.rb | 22 +++++ ssh/manifests/init.pp | 88 +++++++++++++------ 2 files changed, 84 insertions(+), 26 deletions(-) create mode 100644 augeas/lib/puppet/parser/functions/augeas_set_children.rb diff --git a/augeas/lib/puppet/parser/functions/augeas_set_children.rb b/augeas/lib/puppet/parser/functions/augeas_set_children.rb new file mode 100644 index 0000000..c23ca05 --- /dev/null +++ b/augeas/lib/puppet/parser/functions/augeas_set_children.rb @@ -0,0 +1,22 @@ +module Puppet::Parser::Functions + newfunction(:augeas_set_children, :type => :rvalue) do |args| + if args.length != 2 + raise Puppet::ParseError, ('augeas_set_children(): wrong number of arguments (#{args.length}; must be 2)') + end + + key = args[0] + values = args[1] + + if values.empty? + changes = [ "rm %s" % key ] + else + changes = [ "clear %s" % key ] + end + + values.uniq.each.with_index do |value, i| + changes << "set %s/%s '%s'" % [ key, i+1, value ] + end + + changes.join("\n") + end +end diff --git a/ssh/manifests/init.pp b/ssh/manifests/init.pp index ff91186..f41d09a 100644 --- a/ssh/manifests/init.pp +++ b/ssh/manifests/init.pp @@ -180,33 +180,69 @@ class ssh::disable inherits ssh::server { # class ssh::allowgroups { - include ssh::server + warning("ssh::allowgroups is deprecated, use ssh::allow") - $root_group = $::operatingsystem ? { - "openbsd" => "wheel", - default => "root", - } - - if $ssh_allowgroups { - $ssh_allowgroups_real = inline_template("${root_group} <%= @ssh_allowgroups.join(' ') %>") - } else { - $ssh_allowgroups_real = $root_group - } - - exec { "ssh-allowgroups-set": - path => "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin", - cwd => "/etc/ssh", - command => "echo 'AllowGroups ${ssh_allowgroups_real}' >> sshd_config", - unless => "grep -q '^[^#]*AllowGroups' sshd_config", - before => Exec["ssh-allowgroups-sub"], - notify => Service["sshd"], - } - exec { "ssh-allowgroups-sub": - path => "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin", - cwd => "/etc/ssh", - command => "ruby -pi -e 'sub(/(AllowGroups).*/, \"\\\\1 ${ssh_allowgroups_real}\")' sshd_config", - unless => "grep -q '^[^#]*AllowGroups ${ssh_allowgroups_real}' sshd_config", - notify => Service["sshd"], + class { "ssh::allow": + groups => $ssh_allowgroups, } } + + +# Set AllowUsers and AllowGroups in sshd_config. +# +# === Parameters +# +# $root: +# Always allow root. Defaults to true. +# $users: +# Array of allowed users. Allow all if undefined. +# $groups: +# Array of allowed groups. Allow all if undefined. +# +class ssh::allow( + $root=true, + $users=undef, + $groups=undef, +) { + + include ssh::server + + if $users { + if $root { + $users_real = merge('root', $users) + } else { + $users_real = $users + } + } else { + $users_real = [] + } + + $root_group = $::operatingsystem ? { + 'openbsd' => 'wheel', + default => 'root', + } + + if $groups { + if $root { + $groups_real = merge($root_group, $groups) + } else { + $groups_real = $groups + } + } else { + $groups_real = [] + } + + augeas { 'ssh-allow-users': + context => '/files/etc/ssh/sshd_config', + changes => augeas_set_children('AllowUsers', $users_real), + notify => Service['sshd'], + } + + augeas { 'ssh-allow-groups': + context => '/files/etc/ssh/sshd_config', + changes => augeas_set_children('AllowGroups', $groups_real), + notify => Service['sshd'], + } + +}