diff options
author | Antoine Beaupré <anarcat@koumbit.org> | 2013-10-16 15:02:57 -0400 |
---|---|---|
committer | Antoine Beaupré <anarcat@koumbit.org> | 2013-10-16 15:02:57 -0400 |
commit | 5ac51aa1072c59e7998602a8466cd9bbc2aa8cef (patch) | |
tree | a8980893b5fe963f3eed1d7d1262bf12819abfe7 /manifests | |
parent | f661c786095e99087773f01351cebe00837f68a7 (diff) | |
parent | 71d9ff0ef0ace9941a19858acb807f89dfe44946 (diff) | |
download | puppet-monkeysphere-5ac51aa1072c59e7998602a8466cd9bbc2aa8cef.tar.gz puppet-monkeysphere-5ac51aa1072c59e7998602a8466cd9bbc2aa8cef.tar.bz2 |
Merge remote-tracking branch 'sarava/master'
Conflicts:
README
manifests/init.pp
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/init.pp | 234 |
1 files changed, 200 insertions, 34 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index 6885b45..a58faec 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -19,56 +19,222 @@ # # Class for monkeysphere management # + class monkeysphere( $ssh_port = '', $publish_key = false, - $ensure_version = 'installed' + $ensure_version = 'installed', + $keyserver = 'pool.sks-keyservers.net' ) { # The needed packages package{'monkeysphere': ensure => $ensure_version, } - $port = $monkeysphere::ssh_port ? { - '' => '', - default => ":${monkeysphere::ssh_port}", - } - $key = "ssh://${::fqdn}${port}" common::module_dir { [ 'monkeysphere', 'monkeysphere/hosts', 'monkeysphere/plugins' ]: } - file { - '/usr/local/sbin/monkeysphere-check-key': - ensure => present, - owner => root, - group => root, - mode => '0755', - content => "#!/bin/bash\n/usr/bin/gpg --homedir /var/lib/monkeysphere/host --list-keys '=${key}' &> /dev/null || false", - } - - # Server host key publication - Exec{ - unless => '/usr/local/sbin/monkeysphere-check-key', - user => 'root', - require => [ Package['monkeysphere'], File['/usr/local/sbin/monkeysphere-check-key'] ], - } - case $monkeysphere::publish_key { - false: { - exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ${key}": } - } - 'mail': { - $mail_loc = $::operatingsystem ? { - 'centos' => '/bin/mail', - default => '/usr/bin/mail', - } - exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ${key} && \ - ${mail_loc} -s 'monkeysphere host pgp key for ${::fqdn}' root < /var/lib/monkeysphere/host_keys.pub.pgp": + # This was the old way which the module checked monkeysphere keys + file { "/usr/local/sbin/monkeysphere-check-key": + ensure => absent, + owner => root, + group => root, + mode => 0755, + content => "#!/bin/bash\n/usr/bin/gpg --homedir /var/lib/monkeysphere/host --list-keys '=$key' &> /dev/null || false", + } + + file { "monkeysphere_conf": + path => "/etc/monkeysphere/monkeysphere.conf", + mode => 644, + ensure => present, + content => template("monkeysphere/monkeysphere.conf.erb"), + require => Package['monkeysphere'], + } + file { "monkeysphere_host_conf": + path => "/etc/monkeysphere/monkeysphere-host.conf", + mode => 644, + ensure => present, + content => template("monkeysphere/monkeysphere-host.conf.erb"), + require => Package['monkeysphere'], + } + file { "monkeysphere_authentication_conf": + path => "/etc/monkeysphere/monkeysphere-authentication.conf", + mode => 644, + ensure => present, + content => template("monkeysphere/monkeysphere-authentication.conf.erb"), + require => Package['monkeysphere'], + } +} + +define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ssh/ssh_host_rsa_key', $hostname = $fqdn ) { + + # if we're getting a port number, prefix with a colon so it's valid + $prefixed_port = $port ? { + '' => '', + default => ":$port" + } + + $key = "${scheme}${fqdn}${prefixed_port}" + + exec { "monkeysphere-host import-key $path $key": + alias => "monkeysphere-import-key", + require => [ Package["monkeysphere"], File["monkeysphere_host_conf"] ], + unless => "/usr/sbin/monkeysphere-host s | grep $key > /dev/null" + } +} + + # Server host key publication +define monkeysphere::publish_server_keys ( $keyid = '--all' ) { + exec { "monkeysphere-host publish-keys $keyid": + environment => "MONKEYSPHERE_PROMPT=false", + require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"], File["monkeysphere_host_conf"] ], + } +} + +# optionally, mail key somehwere +define monkeysphere::email_server_keys ( ) { + $email = $title + exec { "mail -s 'monkeysphere host pgp keys for $fqdn' $email < /var/lib/monkeysphere/host_keys.pub.pgp": + require => Package["monkeysphere"], + subscribe => Exec["monkeysphere-import-key"], + refreshonly => true, + } +} + +# add certifiers +define monkeysphere::add_id_certifier( $keyid ) { + exec { "monkeysphere-authentication add-id-certifier $keyid": + environment => "MONKEYSPHERE_PROMPT=false", + require => [ Package["monkeysphere"], File["monkeysphere_authentication_conf"] ], + unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid > /dev/null" + } +} + +define monkeysphere::authorized_user_ids( $user_ids, $dest_dir = '/root/.monkeysphere', $dest_file = 'authorized_user_ids', $group = '') { + $user = $title + $calculated_group = $group ? { + '' => $user, + default => $group + } + + # don't require user if it's root because root is not handled + # by puppet + case $user { + root: { + file { + $dest_dir: + owner => $user, + group => $calculated_group, + mode => 755, + ensure => directory, } } default: { - exec { "/usr/sbin/monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ${key} && \ - echo Y | /usr/sbin/monkeysphere-host publish-key": + file { + $dest_dir: + owner => $user, + group => $calculated_group, + mode => 755, + ensure => directory, + require => User[$user] } } } + + file { + "${dest_dir}/${dest_file}": + owner => $user, + group => $calculated_group, + mode => 644, + content => template('monkeysphere/authorized_user_ids.erb'), + ensure => present, + recurse => true, + require => File[$dest_dir] + } + + exec { "monkeysphere-authentication update-users $user": + refreshonly => true, + require => [ File["monkeysphere_authentication_conf"], Package["monkeysphere"] ], + subscribe => File["${dest_dir}/${dest_file}"] + } +} + +# ensure that the user has a gpg key created and it is authentication capable +# in the monkeysphere. This is intended to be the same as generated a +# password-less ssh key +# +define monkeysphere::auth_capable_user ( $expire = "1y", $length = "2048", + $uid_name = undef, $email = undef ) { + + $user = $title + + # The goal is no passphrase, monkeysphere won't work without a passphrase. + $calculated_passphrase = $gpg_auto_password ? { + '' => 'monkeys', + default => $gpg_auto_password + } + + $calculated_name = $uid_name ? { + '' => "$user user", + default => $uid_name + } + $calculated_email = $email ? { + '' => "$user@$fqdn", + default => $email + } + exec { "monkeysphere-gen-key-$user": + command => "printf 'Key-Type: RSA\nKey-Length: 2048\nKey-Usage: encrypt,sign\nSubkey-Type: RSA\nSubkey-Length: 2048\nSubkey-Usage: encrypt\nName-Real: $calculated_name\nName-Email: $calculated_email\nPassphrase: $calculated_passphrase\nExpire-Date: 1y\n' | gpg --batch --gen-key", + require => [ Package["monkeysphere"] ], + user => $user, + unless => "gpg --list-secret-key | grep ^sec >/dev/null" + } + + #FIXME - we should check expiration date and extend it if we're < n days before expiration + + # handle auth subkey + exec { "monkeysphere-gen-subkey-$user": + command => "printf '$calculated_passphrase\n' | monkeysphere gen-subkey", + require => [ Package["monkeysphere"], Exec["monkeysphere-gen-key-$user" ] ], + user => $user, + unless => "gpg --list-key --with-colons $(gpg --list-secret-key --with-colons | grep ^sec | cut -d: -f5) | grep ^sub | cut -d: -f12 | grep a >/dev/null" + } + +} + +define monkeysphere::publish_user_key ( ){ + $user = $title + + $keyserver_arg = $monkeysphere_keyserver ? { + '' => '', + default => "--keyserver $monkeysphere_keyserver" + } + + exec { "monkeysphere-gpg-send-key-$user": + command => "gpg $keyserver_arg --send-key $(gpg --list-secret-key --with-colons | grep ^sec | cut -d: -f5)", + require => [ Package["monkeysphere"], Exec["monkeysphere-gen-key-$user" ] ], + user => $user, + } + +} + +define monkeysphere::owner_trust( $fingerprint, $user = 'root', $level = 6 ) { + $keyserver_arg = $monkeysphere_keyserver ? { + '' => '', + default => "--keyserver $monkeysphere_keyserver" + } + + # ensure the key is in the key ring + exec { "monkeysphere-gpg-recv-key-$user-$fingerprint": + command => "gpg $keyserver_arg --recv-key $fingerprint", + require => [ Package["monkeysphere"] ], + user => $user, + unless => "gpg --list-key $fingerprint 2>&1 >/dev/null" + } + # provide ownertrust + exec { "monkeysphere-gpg-ownertrust-$user-$fingerprint": + command => "printf '$fingerprint:$level\n'\$(gpg --export-ownertrust) | gpg --import-ownertrust", + require => [ Package["monkeysphere"] ], + user => $user, + unless => "gpg --export-ownertrust | grep $fingerprint >/dev/null" + } } |