From 68586a0c3dd6c45568901dc48458f76de451322f Mon Sep 17 00:00:00 2001 From: Steven Armstrong Date: Thu, 25 Sep 2014 16:23:38 +0200 Subject: [PATCH] new type to manage a single ssh authorized_key entry Signed-off-by: Steven Armstrong --- .../type/__ssh_authorized_key/explorer/entry | 26 +++++++ cdist/conf/type/__ssh_authorized_key/man.text | 67 +++++++++++++++++ cdist/conf/type/__ssh_authorized_key/manifest | 75 +++++++++++++++++++ .../parameter/default/state | 1 + .../__ssh_authorized_key/parameter/optional | 2 + .../parameter/optional_multiple | 1 + .../__ssh_authorized_key/parameter/required | 2 + 7 files changed, 174 insertions(+) create mode 100755 cdist/conf/type/__ssh_authorized_key/explorer/entry create mode 100644 cdist/conf/type/__ssh_authorized_key/man.text create mode 100755 cdist/conf/type/__ssh_authorized_key/manifest create mode 100644 cdist/conf/type/__ssh_authorized_key/parameter/default/state create mode 100644 cdist/conf/type/__ssh_authorized_key/parameter/optional create mode 100644 cdist/conf/type/__ssh_authorized_key/parameter/optional_multiple create mode 100644 cdist/conf/type/__ssh_authorized_key/parameter/required diff --git a/cdist/conf/type/__ssh_authorized_key/explorer/entry b/cdist/conf/type/__ssh_authorized_key/explorer/entry new file mode 100755 index 00000000..78031ab5 --- /dev/null +++ b/cdist/conf/type/__ssh_authorized_key/explorer/entry @@ -0,0 +1,26 @@ +#!/bin/sh +# +# 2014 Steven Armstrong (steven-cdist at armstrong.cc) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# + +# extract the keytype and base64 encoded key ignoring any options and comment +type_and_key="$(cat "$__object/parameter/key" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')" +file="$(cat $__object/parameter/file)" + +# get any entries that match the type and key +grep ".*$type_and_key[ \n]" "$file" || true diff --git a/cdist/conf/type/__ssh_authorized_key/man.text b/cdist/conf/type/__ssh_authorized_key/man.text new file mode 100644 index 00000000..b519222c --- /dev/null +++ b/cdist/conf/type/__ssh_authorized_key/man.text @@ -0,0 +1,67 @@ +cdist-type__ssh_authorized_key(7) +================================= +Steven Armstrong + + +NAME +---- +cdist-type__ssh_authorized_key - manage a single ssh authorized key entry + + +DESCRIPTION +----------- +Manage a single authorized key entry in an authorized_key file. +This type was created to be used by the __ssh_authorized_keys type. + + +REQUIRED PARAMETERS +------------------- +file:: + the authorized_keys file to which the given key should be added + +key:: + a string containing the ssh keytype, base 64 encoded key and optional + trailing comment which shall be added to the given authorized_keys file. + + +OPTIONAL PARAMETERS +------------------- +comment:: + explicit comment instead of the one which may be trailing the given key + +option:: + an option to set for this authorized_key entry. + Can be specified multiple times. + See sshd(8) for available options. + +state:: + if the given keys should be 'present' or 'absent', defaults to 'present'. + + +EXAMPLES +-------- + +-------------------------------------------------------------------------------- +__ssh_authorized_key some-id \ + --file "/home/user/.ssh/autorized_keys" \ + --key "$(cat ~/.ssh/id_rsa.pub)" + +__ssh_authorized_key some-id \ + --file "/home/user/.ssh/autorized_keys" \ + --key "$(cat ~/.ssh/id_rsa.pub)" \ + --option 'command="/path/to/script"' \ + --option 'environment="FOO=bar"' \ + --comment 'one to rule them all' +-------------------------------------------------------------------------------- + + +SEE ALSO +-------- +- cdist-type(7) +- cdist__ssh_authorized_keys(7) +- sshd(8) + +COPYING +------- +Copyright \(C) 2014 Steven Armstrong. Free use of this software is +granted under the terms of the GNU General Public License version 3 (GPLv3). diff --git a/cdist/conf/type/__ssh_authorized_key/manifest b/cdist/conf/type/__ssh_authorized_key/manifest new file mode 100755 index 00000000..eb7ae859 --- /dev/null +++ b/cdist/conf/type/__ssh_authorized_key/manifest @@ -0,0 +1,75 @@ +#!/bin/sh +# +# 2014 Steven Armstrong (steven-cdist at armstrong.cc) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# + +file="$(cat "$__object/parameter/file")" +state="$(cat "$__object/parameter/state")" +mkdir "$__object/files" + +_cksum() { + echo "$1" | cksum | cut -d' ' -f 1 +} + +_do_line() { + file="$1" + line="$2" + state="$3" + line_id="$(_cksum "$file")-$(_cksum "$line")" + + set -- "$line_id" + set -- "$@" --file "$file" + set -- "$@" --line "$line" + set -- "$@" --state "$state" + # Ensure __line does not read stdin + __line "$@" < /dev/null +} + +# Generate the entry as it should be +( + if [ -f "$__object/parameter/option" ]; then + options="$(cat "$__object/parameter/option" | tr '\n' ',')" + printf '%s ' "${options%*,}" + fi + if [ -f "$__object/parameter/comment" ]; then + # extract the keytype and base64 encoded key ignoring any options and comment + printf '%s ' "$(cat "$__object/parameter/key" | tr ' ' '\n' | awk '/^(ssh|ecdsa)-[^ ]+/ { printf $1" "; getline; printf $1 }')" + # override the comment with the one explicitly given + printf '%s' "$(cat "$__object/parameter/comment")" + else + printf '%s' "$(cat "$__object/parameter/key")" + fi +) > "$__object/files/should" + +# Check for existing and conflicting entries and remove them +if [ -s "$__object/explorer/entry" ]; then + # We have existing entries for this key. + # Check if any of them are in conflict to how the entry should be. + # Note that the file has to be sorted for comparison with `comm`. + sort "$__object/explorer/entry" > "$__object/files/is" + comm -13 "$__object/files/should" "$__object/files/is" | { + # Remove conflicting entries + while read entry; do + _do_line "$file" "$entry" absent + done + } +fi + +# Manage the actual entry as it should be +entry="$(cat "$__object/files/should")" +_do_line "$file" "$entry" "$state" diff --git a/cdist/conf/type/__ssh_authorized_key/parameter/default/state b/cdist/conf/type/__ssh_authorized_key/parameter/default/state new file mode 100644 index 00000000..e7f6134f --- /dev/null +++ b/cdist/conf/type/__ssh_authorized_key/parameter/default/state @@ -0,0 +1 @@ +present diff --git a/cdist/conf/type/__ssh_authorized_key/parameter/optional b/cdist/conf/type/__ssh_authorized_key/parameter/optional new file mode 100644 index 00000000..89e8d966 --- /dev/null +++ b/cdist/conf/type/__ssh_authorized_key/parameter/optional @@ -0,0 +1,2 @@ +comment +state diff --git a/cdist/conf/type/__ssh_authorized_key/parameter/optional_multiple b/cdist/conf/type/__ssh_authorized_key/parameter/optional_multiple new file mode 100644 index 00000000..01925a15 --- /dev/null +++ b/cdist/conf/type/__ssh_authorized_key/parameter/optional_multiple @@ -0,0 +1 @@ +option diff --git a/cdist/conf/type/__ssh_authorized_key/parameter/required b/cdist/conf/type/__ssh_authorized_key/parameter/required new file mode 100644 index 00000000..d51426c3 --- /dev/null +++ b/cdist/conf/type/__ssh_authorized_key/parameter/required @@ -0,0 +1,2 @@ +file +key