Remove user when custom sshkey file is set

solves https://tickets.puppetlabs.com/browse/MODULES-8746
puppetlabs · Mar 20, 2019 · e509bdb · e509bdb
1 parent 4a740a4
commit e509bdb
Show file tree

Hide file tree

Showing 4 changed files with 85 additions and 30 deletions.
diff --git a/manifests/key_management.pp b/manifests/key_management.pp
@@ -19,41 +19,75 @@
 # @param sshkey_custom_path
 #   Path to custom file for ssh key management.
 #
+# @param purge_user_home
+#   Whether to force recurse remove user home directories when removing a user
+#
 # @api private
 #
 define accounts::key_management(
   String $user,
   String $group,
+  Boolean $purge_user_home,
   Optional[String] $user_home = undef,
   Array[String] $sshkeys = [],
   String $sshkey_owner = $user,
   Optional[String] $sshkey_custom_path = undef,
+  Enum['present','absent'] $ensure = 'present',
 ) {
 
-  if $user_home {
-    file { "${user_home}/.ssh":
-      ensure => directory,
-      owner  => $user,
-      group  => $group,
-      mode   => '0700',
-    }
-  }
-
-  if $sshkey_custom_path {
+  if $sshkey_custom_path != undef {
     $key_file = $sshkey_custom_path
   } elsif $user_home {
     $key_file = "${user_home}/.ssh/authorized_keys"
   } else {
     err(translate('Either user_home or sshkey_custom_path must be specified'))
   }
 
+  if $ensure == 'present' {
+    $dot_ssh_dir_ensure = 'directory'
+    $dot_ssh_dir_recurse = undef
+    $dot_ssh_dir_force = undef
+    $key_file_ensure = 'file'
+  } else {
+    $dot_ssh_dir_ensure = 'absent'
+    if $purge_user_home {
+      $dot_ssh_dir_recurse = true
+      $dot_ssh_dir_force = true
+    } else {
+      $dot_ssh_dir_recurse = undef
+      $dot_ssh_dir_force = undef
+    }
+    $key_file_ensure = 'absent'
+    File[$key_file] -> User[$user]
+    if $user_home {
+      File["${user_home}/.ssh"] -> File[$user_home]
+    }
+  }
+  if $user_home {
+    file { "${user_home}/.ssh":
+      ensure  => $dot_ssh_dir_ensure,
+      owner   => $user,
+      group   => $group,
+      mode    => '0700',
+      recurse => $dot_ssh_dir_recurse,
+      force   => $dot_ssh_dir_force,
+    }
+  }
+
   file { $key_file:
-    ensure => file,
+    ensure => $key_file_ensure,
     owner  => $user,
     group  => $group,
     mode   => '0600',
   }
 
+  if $ensure == 'present' {
+    $sshkey_require = File["${user_home}/.ssh"]
+    $sshkey_before = File[$key_file]
+  } else {
+    $sshkey_require = undef
+    $sshkey_before = [File[$key_file], File["${user_home}/.ssh"]]
+  }
   if $sshkeys != [] {
     if $user_home {
       $requires = [File["${user_home}/.ssh"], File[$key_file]]
@@ -62,11 +96,13 @@
     }
     $sshkeys.each |$sshkey| {
       accounts::manage_keys { "${sshkey} for ${user}":
+        ensure    => $ensure,
         keyspec   => $sshkey,
         user      => $user,
         key_owner => $sshkey_owner,
         key_file  => $key_file,
-        require   => $requires,
+        require   => $sshkey_require,
+        before    => $sshkey_before,
       }
     }
   }

diff --git a/manifests/manage_keys.pp b/manifests/manage_keys.pp
@@ -17,6 +17,7 @@
   String $user,
   String $key_file,
   String $key_owner = $user,
+  Enum['present','absent'] $ensure = 'present',
 ) {
 
   $key_def = $keyspec.match(/^((.*)\s+)?((ssh|ecdsa-sha2).*)\s+(.*)\s+(.*)$/)
@@ -35,8 +36,12 @@
 
     $key_title = "${user}_${key_type}_${key_name}"
 
+    if $ensure == 'absent' {
+      Ssh_authorized_key[$key_title] -> User[$user]
+    }
+
     ssh_authorized_key { $key_title:
-      ensure  => present,
+      ensure  => $ensure,
       user    => $key_owner,
       key     => $key_content,
       type    => $key_type,

diff --git a/manifests/user.pp b/manifests/user.pp
@@ -139,6 +139,9 @@
 # @param name
 #   Name of the user.
 #
+# @param purge_user_home
+#   Whether to force recurse remove user home directories when removing a user. Defaults to false.
+#
 define accounts::user(
   Pattern[/^present$|^absent$/] $ensure                     = 'present',
   Pattern[/^\//] $shell                                     = '/bin/bash',
@@ -172,6 +175,7 @@
   Optional[String] $forward_source                          = undef,
   Optional[Pattern[/^absent$|^\d{4}-\d{2}-\d{2}$/]] $expiry = undef,
   Optional[String] $sshkey_custom_path                      = undef,
+  Boolean $purge_user_home  = false,
 ) {
 
   if $home {
@@ -294,22 +298,22 @@
       group                => $group,
       require              => [ User[$name] ],
     }
-    if ( $ensure == 'present' ) {
-      accounts::key_management { "${name}_key_management":
-        user               => $name,
-        group              => $group,
-        user_home          => $_home,
-        sshkeys            => $sshkeys,
-        sshkey_owner       => $sshkey_owner,
-        sshkey_custom_path => $sshkey_custom_path,
-        require            => Accounts::Home_dir[$_home]
-      }
+    accounts::key_management { "${name}_key_management":
+      ensure             => $ensure,
+      user               => $name,
+      group              => $group,
+      user_home          => $_home,
+      sshkeys            => $sshkeys,
+      sshkey_custom_path => $sshkey_custom_path,
+      purge_user_home    => $purge_user_home,
+      require            => Accounts::Home_dir[$_home]
     }
   } elsif $sshkeys != [] {
     # We are not managing the user's home directory but we have specified a
     # custom, non-home directory for the ssh keys.
       if (($sshkey_custom_path != undef) and ($ensure == 'present')) {
         accounts::key_management { "${name}_key_management":
+          ensure             => $ensure,
           user               => $sshkey_owner,
           group              => $group,
           sshkeys            => $sshkeys,

diff --git a/spec/defines/accounts_user_spec.rb b/spec/defines/accounts_user_spec.rb
@@ -118,13 +118,23 @@
         params['ensure'] = 'absent'
       end
 
-      it { is_expected.to contain_user('dan').with('ensure' => 'absent') }
-      it { is_expected.to contain_user('dan').that_comes_before('Group[dan]') }
-      it { is_expected.to contain_group('dan').with('ensure' => 'absent') }
-      it do
-        is_expected.not_to contain_accounts__home_dir('/var/home/dan').with('ensure' => 'absent',
-                                                                            'recurse' => true,
-                                                                            'force' => true)
+      context 'with default sshkey path' do
+        it { is_expected.to contain_user('dan').with('ensure' => 'absent') }
+        it { is_expected.to contain_user('dan').that_comes_before('Group[dan]') }
+        it { is_expected.to contain_group('dan').with('ensure' => 'absent') }
+        it do
+          is_expected.not_to contain_accounts__home_dir('/var/home/dan').with('ensure' => 'absent',
+                                                                              'recurse' => true,
+                                                                              'force' => true)
+        end
+      end
+
+      context 'with custom sshkey location' do
+        before(:each) do
+          params['sshkey_custom_path'] = '/var/lib/ssh/dan/custom_key_file'
+        end
+
+        it { is_expected.to contain_file('/var/lib/ssh/dan/custom_key_file').with('ensure' => 'absent').that_comes_before('User[dan]') }
       end
     end