From f0199bfcbdc88060ad13b1b4c82d5d8ee40aada6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20M=E4kinen?= <tmakinen@foo.sh>
Date: Wed, 25 Sep 2013 12:13:05 +0300
Subject: [PATCH] kerberos: Refactored kerberos keytab generation to use
 fileshare instead of templates.

---
 .../parser/functions/keytab_generate.rb       | 66 +++++++++++++++++++
 kerberos/manifests/init.pp                    | 16 +++--
 kerberos/templates/keytab.erb                 | 62 -----------------
 3 files changed, 76 insertions(+), 68 deletions(-)
 create mode 100644 kerberos/lib/puppet/parser/functions/keytab_generate.rb
 delete mode 100644 kerberos/templates/keytab.erb

diff --git a/kerberos/lib/puppet/parser/functions/keytab_generate.rb b/kerberos/lib/puppet/parser/functions/keytab_generate.rb
new file mode 100644
index 0000000..922fc11
--- /dev/null
+++ b/kerberos/lib/puppet/parser/functions/keytab_generate.rb
@@ -0,0 +1,66 @@
+
+require 'base64'
+require 'expect'
+require 'tempfile'
+
+
+module Puppet::Parser::Functions
+  newfunction(:keytab_generate) do |args|
+      name = args[0]
+      principals = args[1]
+
+      # get output file name
+      outfile = File.join('/srv/puppet/files/generated',
+                          lookupvar('homename'), Base64.encode64(name)).strip
+      begin
+        Dir.mkdir(File.dirname(outfile))
+      rescue
+        nil
+      end
+
+      # check if we have cached keytab up to date
+      cached = true
+      if File.exists?(outfile)
+        if not check_keytab(outfile, principals)
+          cached = false
+          File.unlink(outfile)
+        end
+      else
+        cached = false
+      end
+
+      # create new keytab if cache is not up to date
+      if not cached
+        cmd = sprintf('kadmin -p %s -k -t /etc/puppet/puppet.keytab -q "ktadd -k %s %s" 1>&2',
+                      lookupvar('kerberos_user'), outfile, principals.join(' '))
+        output = ''
+        IO.popen(cmd, mode='r') { |f|
+          output = f.read
+        }
+        if not File.exists?(outfile)
+          raise 'Failed to create keytab ' + name + ' error was: ' + output
+        elsif not check_keytab(outfile, principals)
+          raise 'Invalid keytab ' + name + ' created'
+        end
+      end
+  end
+
+end
+
+
+# function to check if keytab contains required principals
+def check_keytab(keytab, principals)
+  entries = []
+  IO.popen(sprintf('klist -k %s', keytab), mode='r') { |f|
+    f.readlines.each do |l|
+      next unless l =~ /[ ]+\d+ .*/
+      entries << l.split()[1]
+    end
+  }
+  principals.each do |p|
+    if not entries.include?(p)
+      return false
+    end
+  end
+  return true
+end
diff --git a/kerberos/manifests/init.pp b/kerberos/manifests/init.pp
index ef4f033..7a2fccb 100644
--- a/kerberos/manifests/init.pp
+++ b/kerberos/manifests/init.pp
@@ -244,7 +244,8 @@ class kerberos::server::ldap inherits kerberos::server {
 #     principals => [ "host/testhost.foo.sh@FOO.SH" ],
 # }
 #
-define kerberos::keytab($principals = [], $ensure = present, $owner = "root", $group = "", $mode = "0600") {
+define kerberos::keytab($principals=[], $ensure=present, $owner="root",
+                           $group="", $mode="0600") {
 
     case $group {
         "": {
@@ -258,12 +259,15 @@ define kerberos::keytab($principals = [], $ensure = present, $owner = "root", $g
         }
     }
 
+    keytab_generate($name, $principals)
+    $source = base64($name)
+
     file { $name:
-        ensure  => $ensure,
-        content => template("kerberos/keytab.erb"),
-        mode    => $mode,
-        owner   => $owner,
-        group   => $real_group,
+        ensure => $ensure,
+        source => "puppet:///generated/${source}",
+        mode   => $mode,
+        owner  => $owner,
+        group  => $real_group,
     }
 
 }
diff --git a/kerberos/templates/keytab.erb b/kerberos/templates/keytab.erb
deleted file mode 100644
index 12fd8d3..0000000
--- a/kerberos/templates/keytab.erb
+++ /dev/null
@@ -1,62 +0,0 @@
-<%
-
-require 'digest/md5'
-require 'expect'
-require 'tempfile'
-
-
-config = {}
-config['cachedir'] = '/var/cache/puppet'
-config['kadmin'] = '/usr/bin/kadmin'
-config['klist'] = '/usr/bin/klist'
-
-
-# set global vars
-cachefile = File.join(config['cachedir'],
-		      homename + '.' + Digest::MD5.hexdigest(name))
-
-# function to check if keytab contains required principals
-def check_keytab(config, keytab, principals)
-  entries = []
-  IO.popen(sprintf('%s -k %s', config['klist'], keytab), mode='r') { |f|
-    f.readlines.each do |l|
-      next unless l =~ /[ ]+\d+ .*/
-      entries << l.split()[1]
-    end
-  }
-  principals.each do |p|
-    if not entries.include?(p)
-      return false
-    end
-  end
-  return true
-end
-
-
-# check if we have cached keytab up to date
-cached = true
-if File.exists?(cachefile)
-  if not check_keytab(config, cachefile, principals)
-    cached = false
-    File.unlink(cachefile)
-  end
-else
-  cached = false
-end
-
-# create new keytab if cache is not up to date
-if not cached
-  cmd = sprintf('%s -p %s -k -t /etc/puppet/puppet.keytab -q "ktadd -k %s %s"',
-      config['kadmin'], kerberos_user, cachefile, principals.join(' '))
-  output = `#{cmd} 2>&1`
-  if not File.exists?(cachefile)
-    raise 'Failed to create keytab ' + name + ' error was: ' + output
-  elsif not check_keytab(config, cachefile, principals)
-    raise 'Invalid keytab ' + name + ' created'
-  end
-end
-
-# read keytab into memory
-data = File.open(cachefile).read
-
--%><%= data -%>