__ssh_authorized_keys: Add --keyfile option

This allows storing keys to add in a file instead of having to hardcode them in the manifest.
2022-08-30 17:15:32 +02:00 · 2022-08-30 17:15:32 +02:00 · a45f87e015
commit a45f87e015
parent 90488d2e9e
4 changed files with 29 additions and 4 deletions
--- a/cdist/conf/type/__ssh_authorized_keys/man.rst
+++ b/cdist/conf/type/__ssh_authorized_keys/man.rst
@ -27,7 +27,16 @@ key
   Must be a string containing the ssh keytype, base 64 encoded key and
   optional trailing comment which shall be added to the given
   authorized_keys file.
-   Can be specified multiple times.
+
+   Can be specified multiple times. Either --key or --keyfile must be
+   specified.
+
+keyfile
+   A file containing one or more SSH keys (one per line, just like the
+   regular authorized_keys file).
+
+   Can be specified multiple times. Either --key or --keyfile must be
+   specified.


 OPTIONAL PARAMETERS
--- a/cdist/conf/type/__ssh_authorized_keys/manifest
+++ b/cdist/conf/type/__ssh_authorized_keys/manifest
@ -23,6 +23,11 @@ owner="$(cat "$__object/parameter/owner" 2>/dev/null || echo "$__object_id")"
 state="$(cat "$__object/parameter/state" 2>/dev/null)"
 file="$(cat "$__object/explorer/file")"

+if [ ! -f "$__object/parameter/key" -a ! -f "$__object/parameter/keyfile" ]; then
+   echo "At least one of --key or --keyfile must be specified" >&2
+   exit 1
+fi
+
 if [ ! -f "$__object/parameter/nofile" ] && [ -z "$file" ]
 then
 	echo "Cannot determine path of authorized_keys file" >&2
@ -59,7 +64,17 @@ _type_and_key() {
   echo "$1" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }'
 }

-while read -r key; do
+(
+   if [ -f "$__object/parameter/key" ]; then
+      cat "$__object/parameter/key"
+   fi
+
+   if [ -f "$__object/parameter/keyfile" ]; then
+      while read filename; do
+         cat "$filename"
+      done < "$__object/parameter/keyfile"
+   fi
+) | while read -r key; do
   type_and_key="$( _type_and_key "$key" )"
   object_id="$(_cksum "$file")-$(_cksum "$type_and_key")"
   set -- "$object_id"
@ -75,7 +90,7 @@ while read -r key; do
   fi
   # Ensure __ssh_authorized_key does not read stdin
   __ssh_authorized_key "$@" < /dev/null
-done < "$__object/parameter/key"
+done

 if [ -f "$__object/parameter/remove-unknown" ] &&
    [ -s "$__object/explorer/keys" ]
--- a/cdist/conf/type/__ssh_authorized_keys/parameter/optional_multiple
+++ b/cdist/conf/type/__ssh_authorized_keys/parameter/optional_multiple
@ -1 +1,3 @@
 option
+key
+keyfile
--- a/cdist/conf/type/__ssh_authorized_keys/parameter/required_multiple
+++ b/cdist/conf/type/__ssh_authorized_keys/parameter/required_multiple
@ -1 +0,0 @@
-key