diff --git a/README.md b/README.md index 3b20c6e..a75f375 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,15 @@ The key will be exported as `alice_key@foo` (suffix is taken from the `hostname` Ssh_authorized_key <<| tag == "tag_users" |>> ``` +Customize `target_user` in order to store authorized key under different account than it was exported from. +``` +pubkey::ssh { 'bob_ed25519': + user => 'bob', # auto-detected from title + target_user => 'deploy', # user account under which authorized key will be stored + tags => ['users'], +} +``` + All Puppet variables are documented in [REFERENCE.md](./REFERENCE.md). ## How does this work? diff --git a/manifests/ssh.pp b/manifests/ssh.pp index 6e14d5f..f529ffd 100644 --- a/manifests/ssh.pp +++ b/manifests/ssh.pp @@ -3,7 +3,8 @@ # Exports public ssh key to Puppetserver # # @param generate Whether missing key should be generated -# @param user account name under which we will store the ssh key +# @param user account name where ssh key is (optionally) generated and public key stored into exported resource +# @param target_user account name under which we will store the authorized key (by default same as `user`) # @param type ssh key type one of: 'dsa', 'rsa', 'ecdsa', 'ed25519', 'ecdsa-sk', 'ed25519-sk' # @param home user's home directory, assuming .ssh is located in $HOME/.ssh # @param prefix custom key file prefix for the ssh key file (default: 'id') @@ -17,9 +18,24 @@ # # @example # pubkey::ssh { 'john_rsa': } +# +# @example +# pubkey::ssh { 'johndoe': +# type => 'ed25519', +# comment => 'johndoe_ed25519', +# tags => ['users'], +# } +# +# @example +# pubkey::ssh { 'bob_ed25519': +# user => 'bob', # auto-detected from title +# target_user => 'deploy', # user account under which authorized key will be stored +# tags => ['users'], +# } define pubkey::ssh ( Boolean $generate = true, Optional[String[1]] $user = undef, + Optional[String[1]] $target_user = undef, Optional[Pubkey::Type] $type = undef, Stdlib::AbsolutePath $path = $facts['path'], Optional[Stdlib::UnixPath] $home = undef, @@ -52,6 +68,11 @@ default => $user } + $_target_user = $target_user ? { + undef => $_user, + default => $target_user, + } + $_home = $home ? { undef => $_user ? { 'root' => '/root', @@ -107,7 +128,7 @@ if !empty($_key['type']) and !empty($_key['key']) { @@ssh_authorized_key { "${title}@${hostname}": ensure => present, - user => $_user, + user => $_target_user, type => $_key['type'], key => $_key['key'], tag => $tags, diff --git a/spec/classes/pubkey_spec.rb b/spec/classes/pubkey_spec.rb index 1c48526..c1d268c 100644 --- a/spec/classes/pubkey_spec.rb +++ b/spec/classes/pubkey_spec.rb @@ -144,6 +144,48 @@ it { expect(exported_resources).to contain_ssh_authorized_key('alice_ed25519@host.test').with( + user: 'alice', + type: 'ssh-ed25519', + key: 'AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGgW3IPS7MrL1t8Bta0cZFzvqR8pZMoyuqIVAEXWwb9fAAAABHNzaDo=', + ) + } + end + + context 'with target_user' do + let(:facts) { os_facts } + let :pre_condition do + <<-PP + pubkey::ssh { 'alice_ed25519': + tags => ['users'], + target_user => 'bob', + } + Ssh_authorized_key <<| tag == 'users' |>> + PP + end + + exported_keys = '/var/cache/pubkey/exported_keys' + it { is_expected.to compile.with_all_deps } + + it { is_expected.to contain_pubkey__ssh('alice_ed25519') } + + it { + is_expected.to contain_pubkey__keygen('keygen-alice_ed25519') + .with({ + user: 'alice', + type: 'ed25519', + }) + } + + it { + is_expected.to contain_file_line('alice:/home/alice/.ssh/id_ed25519.pub') + .with( + path: exported_keys, + ) + } + + it { + expect(exported_resources).to contain_ssh_authorized_key('alice_ed25519@host.test').with( + user: 'bob', type: 'ssh-ed25519', key: 'AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGgW3IPS7MrL1t8Bta0cZFzvqR8pZMoyuqIVAEXWwb9fAAAABHNzaDo=', )