ssh: Backport ssh::allow from parameterize

augeas/lib/puppet/parser/functions/augeas_set_children.rb

@@ -0,0 +1,22 @@
+module Puppet::Parser::Functions
+  newfunction(:augeas_set_children, :type => :rvalue) do |args|
+    if args.length != 2
+      raise Puppet::ParseError, ('augeas_set_children(): wrong number of arguments (#{args.length}; must be 2)')
+    end
+
+    key = args[0]
+    values = args[1]
+
+    if values.empty?
+      changes = [ "rm %s" % key ]
+    else
+      changes = [ "clear %s" % key ]
+    end
+
+    values.uniq.each.with_index do |value, i|
+      changes << "set %s/%s '%s'" % [ key, i+1, value ]
+    end
+
+    changes.join("\n")
+  end
+end

ssh/manifests/init.pp

@@ -180,33 +180,69 @@ class ssh::disable inherits ssh::server {
 #
 class ssh::allowgroups {
 
-    include ssh::server
+    warning("ssh::allowgroups is deprecated, use ssh::allow")
 
-    $root_group = $::operatingsystem ? {
+    class { "ssh::allow":
-        "openbsd" => "wheel",
+        groups => $ssh_allowgroups,
-        default   => "root",
-    }
-
-    if $ssh_allowgroups {
-        $ssh_allowgroups_real = inline_template("${root_group} <%= @ssh_allowgroups.join(' ') %>")
-    } else {
-        $ssh_allowgroups_real = $root_group
-    }
-
-    exec { "ssh-allowgroups-set":
-        path    => "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin",
-        cwd     => "/etc/ssh",
-        command => "echo 'AllowGroups ${ssh_allowgroups_real}' >> sshd_config",
-        unless  => "grep -q '^[^#]*AllowGroups' sshd_config",
-        before  => Exec["ssh-allowgroups-sub"],
-        notify  => Service["sshd"],
-    }
-    exec { "ssh-allowgroups-sub":
-        path    => "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin",
-        cwd     => "/etc/ssh",
-        command => "ruby -pi -e 'sub(/(AllowGroups).*/, \"\\\\1 ${ssh_allowgroups_real}\")' sshd_config",
-        unless  => "grep -q '^[^#]*AllowGroups ${ssh_allowgroups_real}' sshd_config",
-        notify  => Service["sshd"],
     }
 
 }
+
+
+# Set AllowUsers and AllowGroups in sshd_config.
+#
+# === Parameters
+#
+#   $root:
+#     Always allow root. Defaults to true.
+#   $users:
+#     Array of allowed users. Allow all if undefined.
+#   $groups:
+#     Array of allowed groups. Allow all if undefined.
+#
+class ssh::allow(
+  $root=true,
+  $users=undef,
+  $groups=undef,
+) {
+
+  include ssh::server
+
+  if $users {
+    if $root {
+      $users_real = merge('root', $users)
+    } else {
+      $users_real = $users
+    }
+  } else {
+    $users_real = []
+  }
+
+  $root_group = $::operatingsystem ? {
+    'openbsd' => 'wheel',
+    default   => 'root',
+  }
+
+  if $groups {
+    if $root {
+      $groups_real = merge($root_group, $groups)
+    } else {
+      $groups_real = $groups
+    }
+  } else {
+    $groups_real = []
+  }
+
+  augeas { 'ssh-allow-users':
+    context => '/files/etc/ssh/sshd_config',
+    changes => augeas_set_children('AllowUsers', $users_real),
+    notify  => Service['sshd'],
+  }
+
+  augeas { 'ssh-allow-groups':
+    context => '/files/etc/ssh/sshd_config',
+    changes => augeas_set_children('AllowGroups', $groups_real),
+    notify  => Service['sshd'],
+  }
+
+}