diff --git a/manifests/key_management.pp b/manifests/key_management.pp index 61711511..07a54663 100644 --- a/manifests/key_management.pp +++ b/manifests/key_management.pp @@ -19,27 +19,23 @@ # @param sshkey_custom_path # Path to custom file for ssh key management. # +# @param purge_user_home +# Whether to force recurse remove user home directories when removing a user +# # @api private # define accounts::key_management( String $user, String $group, + Boolean $purge_user_home, Optional[String] $user_home = undef, Array[String] $sshkeys = [], String $sshkey_owner = $user, Optional[String] $sshkey_custom_path = undef, + Enum['present','absent'] $ensure = 'present', ) { - if $user_home { - file { "${user_home}/.ssh": - ensure => directory, - owner => $user, - group => $group, - mode => '0700', - } - } - - if $sshkey_custom_path { + if $sshkey_custom_path != undef { $key_file = $sshkey_custom_path } elsif $user_home { $key_file = "${user_home}/.ssh/authorized_keys" @@ -47,13 +43,51 @@ err(translate('Either user_home or sshkey_custom_path must be specified')) } + if $ensure == 'present' { + $dot_ssh_dir_ensure = 'directory' + $dot_ssh_dir_recurse = undef + $dot_ssh_dir_force = undef + $key_file_ensure = 'file' + } else { + $dot_ssh_dir_ensure = 'absent' + if $purge_user_home { + $dot_ssh_dir_recurse = true + $dot_ssh_dir_force = true + } else { + $dot_ssh_dir_recurse = undef + $dot_ssh_dir_force = undef + } + $key_file_ensure = 'absent' + File[$key_file] -> User[$user] + if $user_home { + File["${user_home}/.ssh"] -> File[$user_home] + } + } + if $user_home { + file { "${user_home}/.ssh": + ensure => $dot_ssh_dir_ensure, + owner => $user, + group => $group, + mode => '0700', + recurse => $dot_ssh_dir_recurse, + force => $dot_ssh_dir_force, + } + } + file { $key_file: - ensure => file, + ensure => $key_file_ensure, owner => $user, group => $group, mode => '0600', } + if $ensure == 'present' { + $sshkey_require = File["${user_home}/.ssh"] + $sshkey_before = File[$key_file] + } else { + $sshkey_require = undef + $sshkey_before = [File[$key_file], File["${user_home}/.ssh"]] + } if $sshkeys != [] { if $user_home { $requires = [File["${user_home}/.ssh"], File[$key_file]] @@ -62,11 +96,13 @@ } $sshkeys.each |$sshkey| { accounts::manage_keys { "${sshkey} for ${user}": + ensure => $ensure, keyspec => $sshkey, user => $user, key_owner => $sshkey_owner, key_file => $key_file, - require => $requires, + require => $sshkey_require, + before => $sshkey_before, } } } diff --git a/manifests/manage_keys.pp b/manifests/manage_keys.pp index f4267503..1abc5627 100644 --- a/manifests/manage_keys.pp +++ b/manifests/manage_keys.pp @@ -17,6 +17,7 @@ String $user, String $key_file, String $key_owner = $user, + Enum['present','absent'] $ensure = 'present', ) { $key_def = $keyspec.match(/^((.*)\s+)?((ssh|ecdsa-sha2).*)\s+(.*)\s+(.*)$/) @@ -35,8 +36,12 @@ $key_title = "${user}_${key_type}_${key_name}" + if $ensure == 'absent' { + Ssh_authorized_key[$key_title] -> User[$user] + } + ssh_authorized_key { $key_title: - ensure => present, + ensure => $ensure, user => $key_owner, key => $key_content, type => $key_type, diff --git a/manifests/user.pp b/manifests/user.pp index f33b0cc7..13e444b5 100644 --- a/manifests/user.pp +++ b/manifests/user.pp @@ -139,6 +139,9 @@ # @param name # Name of the user. # +# @param purge_user_home +# Whether to force recurse remove user home directories when removing a user. Defaults to false. +# define accounts::user( Pattern[/^present$|^absent$/] $ensure = 'present', Pattern[/^\//] $shell = '/bin/bash', @@ -172,6 +175,7 @@ Optional[String] $forward_source = undef, Optional[Pattern[/^absent$|^\d{4}-\d{2}-\d{2}$/]] $expiry = undef, Optional[String] $sshkey_custom_path = undef, + Boolean $purge_user_home = false, ) { if $home { @@ -294,22 +298,22 @@ group => $group, require => [ User[$name] ], } - if ( $ensure == 'present' ) { - accounts::key_management { "${name}_key_management": - user => $name, - group => $group, - user_home => $_home, - sshkeys => $sshkeys, - sshkey_owner => $sshkey_owner, - sshkey_custom_path => $sshkey_custom_path, - require => Accounts::Home_dir[$_home] - } + accounts::key_management { "${name}_key_management": + ensure => $ensure, + user => $name, + group => $group, + user_home => $_home, + sshkeys => $sshkeys, + sshkey_custom_path => $sshkey_custom_path, + purge_user_home => $purge_user_home, + require => Accounts::Home_dir[$_home] } } elsif $sshkeys != [] { # We are not managing the user's home directory but we have specified a # custom, non-home directory for the ssh keys. if (($sshkey_custom_path != undef) and ($ensure == 'present')) { accounts::key_management { "${name}_key_management": + ensure => $ensure, user => $sshkey_owner, group => $group, sshkeys => $sshkeys, diff --git a/spec/defines/accounts_user_spec.rb b/spec/defines/accounts_user_spec.rb index 46ebc916..df40babc 100644 --- a/spec/defines/accounts_user_spec.rb +++ b/spec/defines/accounts_user_spec.rb @@ -118,13 +118,23 @@ params['ensure'] = 'absent' end - it { is_expected.to contain_user('dan').with('ensure' => 'absent') } - it { is_expected.to contain_user('dan').that_comes_before('Group[dan]') } - it { is_expected.to contain_group('dan').with('ensure' => 'absent') } - it do - is_expected.not_to contain_accounts__home_dir('/var/home/dan').with('ensure' => 'absent', - 'recurse' => true, - 'force' => true) + context 'with default sshkey path' do + it { is_expected.to contain_user('dan').with('ensure' => 'absent') } + it { is_expected.to contain_user('dan').that_comes_before('Group[dan]') } + it { is_expected.to contain_group('dan').with('ensure' => 'absent') } + it do + is_expected.not_to contain_accounts__home_dir('/var/home/dan').with('ensure' => 'absent', + 'recurse' => true, + 'force' => true) + end + end + + context 'with custom sshkey location' do + before(:each) do + params['sshkey_custom_path'] = '/var/lib/ssh/dan/custom_key_file' + end + + it { is_expected.to contain_file('/var/lib/ssh/dan/custom_key_file').with('ensure' => 'absent').that_comes_before('User[dan]') } end end