5 files changed, 65 insertions, 10 deletions

diff --git a/lib/puppet/type/ssh_authorized_key.rb b/lib/puppet/type/ssh_authorized_key.rb
index 648055c..953b1a6 100644
--- a/lib/puppet/type/ssh_authorized_key.rb
+++ b/lib/puppet/type/ssh_authorized_key.rb
@@ -62,11 +62,14 @@ module Puppet
     newproperty(:type) do
       desc 'The encryption type used.'
 
-      newvalues :'ssh-dss', :'ssh-rsa', :'ecdsa-sha2-nistp256', :'ecdsa-sha2-nistp384', :'ecdsa-sha2-nistp521', :'ssh-ed25519'
+      newvalues :'ssh-dss', :'ssh-rsa', :'ecdsa-sha2-nistp256', :'ecdsa-sha2-nistp384', :'ecdsa-sha2-nistp521', :'ssh-ed25519',
+                :'sk-ecdsa-sha2-nistp256@openssh.com', :'sk-ssh-ed25519@openssh.com'
 
       aliasvalue(:dsa, :'ssh-dss')
       aliasvalue(:ed25519, :'ssh-ed25519')
       aliasvalue(:rsa, :'ssh-rsa')
+      aliasvalue(:'ecdsa-sk', :'sk-ecdsa-sha2-nistp256@openssh.com')
+      aliasvalue(:'ed25519-sk', :'sk-ssh-ed25519@openssh.com')
     end
 
     newproperty(:key) do
@@ -159,7 +162,9 @@ module Puppet
     end
 
     # regular expression suitable for use by a ParsedFile based provider
-    REGEX = %r{^(?:(.+)\s+)?(ssh-dss|ssh-ed25519|ssh-rsa|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521)\s+([^ ]+)\s*(.*)$}
+    REGEX = %r{^(?:(.+)\s+)?(ssh-dss|ssh-ed25519|ssh-rsa|ecdsa-sha2-nistp256|
+            ecdsa-sha2-nistp384|ecdsa-sha2-nistp521|ecdsa-sk|ed25519-sk|
+            sk-ecdsa-sha2-nistp256@openssh.com|sk-ssh-ed25519@openssh.com)\s+([^ ]+)\s*(.*)$}x
     def self.keyline_regex
       REGEX
     end
diff --git a/lib/puppet/type/sshkey.rb b/lib/puppet/type/sshkey.rb
index c3cce5d..eeca5fe 100644
--- a/lib/puppet/type/sshkey.rb
+++ b/lib/puppet/type/sshkey.rb
@@ -15,7 +15,7 @@ module Puppet
     def self.title_patterns
       [
         [
-          %r{^(.*)@(.*)$},
+          %r{^(.*?)@(.*)$},
           [
             [:name],
             [:type],
@@ -35,11 +35,14 @@ module Puppet
 
       isnamevar
 
-      newvalues :'ssh-dss', :'ssh-ed25519', :'ssh-rsa', :'ecdsa-sha2-nistp256', :'ecdsa-sha2-nistp384', :'ecdsa-sha2-nistp521'
+      newvalues :'ssh-dss', :'ssh-ed25519', :'ssh-rsa', :'ecdsa-sha2-nistp256', :'ecdsa-sha2-nistp384', :'ecdsa-sha2-nistp521',
+                :'sk-ecdsa-sha2-nistp256@openssh.com', :'sk-ssh-ed25519@openssh.com'
 
       aliasvalue(:dsa, :'ssh-dss')
       aliasvalue(:ed25519, :'ssh-ed25519')
       aliasvalue(:rsa, :'ssh-rsa')
+      aliasvalue(:'ecdsa-sk', :'sk-ecdsa-sha2-nistp256@openssh.com')
+      aliasvalue(:'ed25519-sk', :'sk-ssh-ed25519@openssh.com')
     end
 
     newproperty(:key) do
diff --git a/spec/integration/provider/sshkey_spec.rb b/spec/integration/provider/sshkey_spec.rb
index 5f30db1..74e56a7 100644
--- a/spec/integration/provider/sshkey_spec.rb
+++ b/spec/integration/provider/sshkey_spec.rb
@@ -91,6 +91,25 @@ describe Puppet::Type.type(:sshkey).provider(:parsed), unless: Puppet.features.m
       expect(File.read(sshkey_file)).not_to match(%r{#{sshkey_name}.*Yqk0=})
     end
 
+    it 'prioritizes the specified type instead of type in the name' do
+      manifest = "#{type_under_test} { '#{super_unique}@rsa':
+      ensure => 'present',
+      type   => 'dsa',
+      key    => 'mykey',
+      target => '#{sshkey_file}' }"
+      apply_with_error_check(manifest)
+      expect(File.read(sshkey_file)).to match(%r{#{super_unique} ssh-dss.*mykey})
+    end
+
+    it 'can parse SSH key type that contains @openssh.com in name' do
+      manifest = "#{type_under_test} { '#{super_unique}@sk-ssh-ed25519@openssh.com':
+      ensure => 'present',
+      key    => 'mykey',
+      target => '#{sshkey_file}' }"
+      apply_with_error_check(manifest)
+      expect(File.read(sshkey_file)).to match(%r{#{super_unique} sk-ssh-ed25519@openssh.com.*mykey})
+    end
+
     # test all key types
     types = [
       'ssh-dss',     'dsa',
@@ -98,14 +117,18 @@ describe Puppet::Type.type(:sshkey).provider(:parsed), unless: Puppet.features.m
       'ssh-rsa',     'rsa',
       'ecdsa-sha2-nistp256',
       'ecdsa-sha2-nistp384',
-      'ecdsa-sha2-nistp521'
+      'ecdsa-sha2-nistp521',
+      'ecdsa-sk', 'sk-ecdsa-sha2-nistp256@openssh.com',
+      'ed25519-sk', 'sk-ssh-ed25519@openssh.com'
     ]
     # these types are treated as aliases for sshkey <ahem> type
     #   so they are populated as the *values* below
     aliases = {
-      'dsa'     => 'ssh-dss',
-      'ed25519' => 'ssh-ed25519',
-      'rsa'     => 'ssh-rsa',
+      'dsa'        => 'ssh-dss',
+      'ed25519'    => 'ssh-ed25519',
+      'rsa'        => 'ssh-rsa',
+      'ecdsa-sk'   => 'sk-ecdsa-sha2-nistp256@openssh.com',
+      'ed25519-sk' => 'sk-ssh-ed25519@openssh.com',
     }
     types.each do |type|
       it "should update an entry with #{type} type" do
diff --git a/spec/unit/type/ssh_authorized_key_spec.rb b/spec/unit/type/ssh_authorized_key_spec.rb
index 457537c..cf4ae8a 100644
--- a/spec/unit/type/ssh_authorized_key_spec.rb
+++ b/spec/unit/type/ssh_authorized_key_spec.rb
@@ -85,7 +85,9 @@ describe Puppet::Type.type(:ssh_authorized_key), unless: Puppet.features.microso
         :'ecdsa-sha2-nistp256',
         :'ecdsa-sha2-nistp384',
         :'ecdsa-sha2-nistp521',
-        :ed25519, :'ssh-ed25519'
+        :ed25519, :'ssh-ed25519',
+        :'ecdsa-sk', :'sk-ecdsa-sha2-nistp256@openssh.com',
+        :'ed25519-sk', :'sk-ssh-ed25519@openssh.com'
       ].each do |keytype|
         it "supports #{keytype}" do
           described_class.new(name: 'whev', type: keytype, user: 'nobody')
@@ -102,6 +104,16 @@ describe Puppet::Type.type(:ssh_authorized_key), unless: Puppet.features.microso
         expect(key.should(:type)).to eq :'ssh-dss'
       end
 
+      it 'aliases :ecdsa-sk to :sk-ecdsa-sha2-nistp256@openssh.com' do
+        key = described_class.new(name: 'whev', type: :'ecdsa-sk', user: 'nobody')
+        expect(key.should(:type)).to eq :'sk-ecdsa-sha2-nistp256@openssh.com'
+      end
+
+      it 'aliases :ed25519-sk to :sk-ssh-ed25519@openssh.com' do
+        key = described_class.new(name: 'whev', type: :'ed25519-sk', user: 'nobody')
+        expect(key.should(:type)).to eq :'sk-ssh-ed25519@openssh.com'
+      end
+
       it "doesn't support values other than ssh-dss, ssh-rsa, dsa, rsa" do
         expect { described_class.new(name: 'whev', type: :something) }.to raise_error(Puppet::Error, %r{Invalid value})
       end
diff --git a/spec/unit/type/sshkey_spec.rb b/spec/unit/type/sshkey_spec.rb
index 680d9ec..53448ed 100644
--- a/spec/unit/type/sshkey_spec.rb
+++ b/spec/unit/type/sshkey_spec.rb
@@ -27,7 +27,9 @@ describe Puppet::Type.type(:sshkey) do
       :'ecdsa-sha2-nistp256',
       :'ecdsa-sha2-nistp384',
       :'ecdsa-sha2-nistp521',
-      :'ssh-ed25519', :ed25519
+      :'ssh-ed25519', :ed25519,
+      :'ecdsa-sk', :'sk-ecdsa-sha2-nistp256@openssh.com',
+      :'ed25519-sk', :'sk-ssh-ed25519@openssh.com'
     ].each do |keytype|
       it "supports #{keytype} as a type value" do
         described_class.new(name: 'foo', type: keytype)
@@ -44,6 +46,16 @@ describe Puppet::Type.type(:sshkey) do
       expect(key.parameter(:type).value).to eq :'ssh-dss'
     end
 
+    it 'aliases :ecdsa-sk to :sk-ecdsa-sha2-nistp256@openssh.com' do
+      key = described_class.new(name: 'foo', type: :'ecdsa-sk')
+      expect(key.parameter(:type).value).to eq :'sk-ecdsa-sha2-nistp256@openssh.com'
+    end
+
+    it 'aliases :ed25519-sk to :ssh-dss' do
+      key = described_class.new(name: 'foo', type: :'ed25519-sk')
+      expect(key.parameter(:type).value).to eq :'sk-ssh-ed25519@openssh.com'
+    end
+
     it "doesn't support values other than ssh-dss, ssh-rsa, dsa, rsa for type" do
       expect {
         described_class.new(name: 'whev', type: :'ssh-dsa')