Created
June 20, 2019 09:54
-
-
Save tuxmea/d777e46a3779dd746d8761ee2bc224e1 to your computer and use it in GitHub Desktop.
puppetlabs-accounts remove user with ssh key not in home
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/manifests/key_management.pp b/manifests/key_management.pp | |
index 6171151..091afc5 100644 | |
--- a/manifests/key_management.pp | |
+++ b/manifests/key_management.pp | |
@@ -22,6 +22,7 @@ | |
# @api private | |
# | |
define accounts::key_management( | |
+ Enum['present','absent'] $ensure = 'present', | |
String $user, | |
String $group, | |
Optional[String] $user_home = undef, | |
@@ -31,11 +32,13 @@ define accounts::key_management( | |
) { | |
if $user_home { | |
- file { "${user_home}/.ssh": | |
- ensure => directory, | |
- owner => $user, | |
- group => $group, | |
- mode => '0700', | |
+ if $ensure == 'present' { | |
+ file { "${user_home}/.ssh": | |
+ ensure => directory, | |
+ owner => $user, | |
+ group => $group, | |
+ mode => '0700', | |
+ } | |
} | |
} | |
@@ -47,26 +50,37 @@ define accounts::key_management( | |
err(translate('Either user_home or sshkey_custom_path must be specified')) | |
} | |
+ if $ensure == 'present' { | |
+ $key_file_ensure = 'file' | |
+ $key_file_before = undef | |
+ } else { | |
+ $key_file_ensure = 'absent' | |
+ $key_file_before = [User[$user], Group[$group]] | |
+ } | |
file { $key_file: | |
- ensure => file, | |
+ ensure => $key_file_ensure, | |
owner => $user, | |
group => $group, | |
mode => '0600', | |
+ before => $key_file_before, | |
} | |
if $sshkeys != [] { | |
- if $user_home { | |
- $requires = [File["${user_home}/.ssh"], File[$key_file]] | |
- } else { | |
- $requires = [File[$key_file]] | |
- } | |
- $sshkeys.each |$sshkey| { | |
- accounts::manage_keys { "${sshkey} for ${user}": | |
- keyspec => $sshkey, | |
- user => $user, | |
- key_owner => $sshkey_owner, | |
- key_file => $key_file, | |
- require => $requires, | |
+ if $ensure == 'present' { | |
+ if $user_home { | |
+ $requires = [File["${user_home}/.ssh"], File[$key_file]] | |
+ } else { | |
+ $requires = [File[$key_file]] | |
+ } | |
+ $sshkeys.each |$sshkey| { | |
+ accounts::manage_keys { "${sshkey} for ${user}": | |
+ ensure => $ensure, | |
+ keyspec => $sshkey, | |
+ user => $user, | |
+ key_owner => $sshkey_owner, | |
+ key_file => $key_file, | |
+ require => $requires, | |
+ } | |
} | |
} | |
} | |
diff --git a/manifests/manage_keys.pp b/manifests/manage_keys.pp | |
index f426750..1bcbb29 100644 | |
--- a/manifests/manage_keys.pp | |
+++ b/manifests/manage_keys.pp | |
@@ -13,6 +13,7 @@ | |
# @api private | |
# | |
define accounts::manage_keys( | |
+ Enum['absent','present'] $ensure = 'present', | |
String $keyspec, | |
String $user, | |
String $key_file, | |
@@ -35,8 +36,11 @@ define accounts::manage_keys( | |
$key_title = "${user}_${key_type}_${key_name}" | |
+ if $ensure == 'absent' { | |
+ Ssh_authorized_key[$key_title] -> User[$user] | |
+ } | |
ssh_authorized_key { $key_title: | |
- ensure => present, | |
+ ensure => $ensure, | |
user => $key_owner, | |
key => $key_content, | |
type => $key_type, | |
diff --git a/manifests/user.pp b/manifests/user.pp | |
index f33b0cc..11c4ac1 100644 | |
--- a/manifests/user.pp | |
+++ b/manifests/user.pp | |
@@ -292,30 +292,48 @@ define accounts::user( | |
forward_source => $forward_source, | |
user => $name, | |
group => $group, | |
- require => [ User[$name] ], | |
+ } | |
+ accounts::key_management { "${name}_key_management": | |
+ ensure => $ensure, | |
+ user => $name, | |
+ group => $group, | |
+ user_home => $_home, | |
+ sshkeys => $sshkeys, | |
+ sshkey_owner => $sshkey_owner, | |
+ sshkey_custom_path => $sshkey_custom_path, | |
} | |
if ( $ensure == 'present' ) { | |
- accounts::key_management { "${name}_key_management": | |
- user => $name, | |
- group => $group, | |
- user_home => $_home, | |
- sshkeys => $sshkeys, | |
- sshkey_owner => $sshkey_owner, | |
- sshkey_custom_path => $sshkey_custom_path, | |
- require => Accounts::Home_dir[$_home] | |
- } | |
+ User[$name] | |
+ -> Accounts::Home_dir[$_home] | |
+ -> Accounts::Key_management["${name}_key_management"] | |
+ } else { | |
+ # When purging users, we must first remove homedir and ssh key prior removing user | |
+ Accounts::Key_management["${name}_key_management"] | |
+ -> Accounts::Home_dir[$_home] | |
+ -> User[$name] | |
} | |
} elsif $sshkeys != [] { | |
# We are not managing the user's home directory but we have specified a | |
# custom, non-home directory for the ssh keys. | |
- if (($sshkey_custom_path != undef) and ($ensure == 'present')) { | |
+ if ($sshkey_custom_path != undef) { | |
accounts::key_management { "${name}_key_management": | |
+ ensure => $ensure, | |
user => $sshkey_owner, | |
group => $group, | |
sshkeys => $sshkeys, | |
sshkey_owner => $sshkey_owner, | |
sshkey_custom_path => $sshkey_custom_path, | |
} | |
+ if ( $ensure == 'present' ) { | |
+ User[$name] | |
+ -> Accounts::Home_dir[$_home] | |
+ -> Accounts::Key_management["${name}_key_management"] | |
+ } else { | |
+ # When purging users, we must first remove homedir and ssh key prior removing user | |
+ Accounts::Key_management["${name}_key_management"] | |
+ -> Accounts::Home_dir[$_home] | |
+ -> User[$name] | |
+ } | |
} | |
else { | |
warning(translate('ssh keys were passed for user %{name} but $managehome is set to false; not managing user ssh keys', |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment