diff options
Diffstat (limited to 'spec')
18 files changed, 1400 insertions, 0 deletions
diff --git a/spec/acceptance/tests/resource/ssh_authorized_key/create.rb b/spec/acceptance/tests/resource/ssh_authorized_key/create.rb new file mode 100644 index 0000000..6b4c879 --- /dev/null +++ b/spec/acceptance/tests/resource/ssh_authorized_key/create.rb @@ -0,0 +1,39 @@ +test_name "should create an entry for an SSH authorized key" + +tag 'audit:medium', + 'audit:refactor', # Use block style `test_run` + 'audit:acceptance' # Could be done at the integration (or unit) layer though + # actual changing of resources could irreparably damage a + # host running this, or require special permissions. + +confine :except, :platform => ['windows'] + +auth_keys = '~/.ssh/authorized_keys' +name = "pl#{rand(999999).to_i}" + +agents.each do |agent| + teardown do + #(teardown) restore the #{auth_keys} file + on(agent, "mv /tmp/auth_keys #{auth_keys}", :acceptable_exit_codes => [0,1]) + end + + #------- SETUP -------# + step "(setup) backup #{auth_keys} file" + on(agent, "cp #{auth_keys} /tmp/auth_keys", :acceptable_exit_codes => [0,1]) + on(agent, "chown $LOGNAME #{auth_keys}") + + #------- TESTS -------# + step "create an authorized key entry with puppet (present)" + args = ['ensure=present', + "user=$LOGNAME", + "type='rsa'", + "key='mykey'", + ] + on(agent, puppet_resource('ssh_authorized_key', "#{name}", args)) + + step "verify entry in #{auth_keys}" + on(agent, "cat #{auth_keys}") do |res| + fail_test "didn't find the ssh_authorized_key for #{name}" unless stdout.include? "#{name}" + end + +end diff --git a/spec/acceptance/tests/resource/ssh_authorized_key/destroy.rb b/spec/acceptance/tests/resource/ssh_authorized_key/destroy.rb new file mode 100644 index 0000000..c80e967 --- /dev/null +++ b/spec/acceptance/tests/resource/ssh_authorized_key/destroy.rb @@ -0,0 +1,42 @@ +test_name "should delete an entry for an SSH authorized key" + +tag 'audit:medium', + 'audit:refactor', # Use block style `test_run` + 'audit:acceptance' # Could be done at the integration (or unit) layer though + # actual changing of resources could irreparably damage a + # host running this, or require special permissions. + +confine :except, :platform => ['windows'] + +auth_keys = '~/.ssh/authorized_keys' +name = "pl#{rand(999999).to_i}" + +agents.each do |agent| + teardown do + #(teardown) restore the #{auth_keys} file + on(agent, "mv /tmp/auth_keys #{auth_keys}", :acceptable_exit_codes => [0,1]) + end + + #------- SETUP -------# + step "(setup) backup #{auth_keys} file" + on(agent, "cp #{auth_keys} /tmp/auth_keys", :acceptable_exit_codes => [0,1]) + + step "(setup) create an authorized key in the #{auth_keys} file" + on(agent, "echo '' >> #{auth_keys} && echo 'ssh-rsa mykey #{name}' >> #{auth_keys}") + on(agent, "chown $LOGNAME #{auth_keys}") + + #------- TESTS -------# + step "delete an authorized key entry with puppet (absent)" + args = ['ensure=absent', + "user=$LOGNAME", + "type='rsa'", + "key='mykey'", + ] + on(agent, puppet_resource('ssh_authorized_key', "#{name}", args)) + + step "verify entry deleted from #{auth_keys}" + on(agent, "cat #{auth_keys}") do |res| + fail_test "found the ssh_authorized_key for #{name}" if stdout.include? "#{name}" + end + +end diff --git a/spec/acceptance/tests/resource/ssh_authorized_key/modify.rb b/spec/acceptance/tests/resource/ssh_authorized_key/modify.rb new file mode 100644 index 0000000..0a50c31 --- /dev/null +++ b/spec/acceptance/tests/resource/ssh_authorized_key/modify.rb @@ -0,0 +1,43 @@ +test_name "should update an entry for an SSH authorized key" + +tag 'audit:medium', + 'audit:refactor', # Use block style `test_run` + 'audit:acceptance' # Could be done at the integration (or unit) layer though + # actual changing of resources could irreparably damage a + # host running this, or require special permissions. + +confine :except, :platform => ['windows'] + +auth_keys = '~/.ssh/authorized_keys' +name = "pl#{rand(999999).to_i}" + +agents.each do |agent| + teardown do + #(teardown) restore the #{auth_keys} file + on(agent, "mv /tmp/auth_keys #{auth_keys}", :acceptable_exit_codes => [0,1]) + end + + #------- SETUP -------# + step "(setup) backup #{auth_keys} file" + on(agent, "cp #{auth_keys} /tmp/auth_keys", :acceptable_exit_codes => [0,1]) + + step "(setup) create an authorized key in the #{auth_keys} file" + on(agent, "echo '' >> #{auth_keys} && echo 'ssh-rsa mykey #{name}' >> #{auth_keys}") + on(agent, "chown $LOGNAME #{auth_keys}") + + #------- TESTS -------# + step "update an authorized key entry with puppet (present)" + args = ['ensure=present', + "user=$LOGNAME", + "type='rsa'", + "key='mynewshinykey'", + ] + on(agent, puppet_resource('ssh_authorized_key', "#{name}", args)) + + step "verify entry updated in #{auth_keys}" + on(agent, "cat #{auth_keys}") do |res| + fail_test "didn't find the updated key for #{name}" unless stdout.include? "mynewshinykey #{name}" + fail_test "Found old key mykey #{name}" if stdout.include? "mykey #{name}" + end + +end diff --git a/spec/acceptance/tests/resource/ssh_authorized_key/query.rb b/spec/acceptance/tests/resource/ssh_authorized_key/query.rb new file mode 100644 index 0000000..8caff85 --- /dev/null +++ b/spec/acceptance/tests/resource/ssh_authorized_key/query.rb @@ -0,0 +1,35 @@ +test_name "should be able to find an existing SSH authorized key" + +tag 'audit:medium', + 'audit:refactor', # Use block style `test_run` + 'audit:acceptance' # Could be done at the integration (or unit) layer though + # actual changing of resources could irreparably damage a + # host running this, or require special permissions. + +skip_test("This test is blocked by PUP-1605") + +confine :except, :platform => ['windows'] + +auth_keys = '~/.ssh/authorized_keys' +name = "pl#{rand(999999).to_i}" + +agents.each do |agent| + teardown do + #(teardown) restore the #{auth_keys} file + on(agent, "mv /tmp/auth_keys #{auth_keys}", :acceptable_exit_codes => [0,1]) + end + + #------- SETUP -------# + step "(setup) backup #{auth_keys} file" + on(agent, "cp #{auth_keys} /tmp/auth_keys", :acceptable_exit_codes => [0,1]) + + step "(setup) create an authorized key in the #{auth_keys} file" + on(agent, "echo '' >> #{auth_keys} && echo 'ssh-rsa mykey #{name}' >> #{auth_keys}") + + #------- TESTS -------# + step "verify SSH authorized key query with puppet" + on(agent, puppet_resource('ssh_authorized_key', "/#{name}")) do |res| + fail_test "Didn't find the ssh_authorized_key for #{name}" unless stdout.include? "#{name}" + end + +end diff --git a/spec/acceptance/tests/resource/sshkey/create.rb b/spec/acceptance/tests/resource/sshkey/create.rb new file mode 100644 index 0000000..4e75379 --- /dev/null +++ b/spec/acceptance/tests/resource/sshkey/create.rb @@ -0,0 +1,77 @@ +test_name "(PUP-5508) Should add an SSH key to the correct ssh_known_hosts file on OS X/macOS" do +# TestRail test case C93370 + +tag 'audit:medium', + 'audit:acceptance' # Could be done at the integration (or unit) layer though + # actual changing of resources could irreparably damage a + # host running this, or require special permissions. + +confine :to, :platform => /osx/ + +keyname = "pl#{rand(999999).to_i}" + +# FIXME: This is bletcherous +macos_version = fact_on(agent, "os.macosx.version.major") +if ["10.9","10.10"].include? macos_version + ssh_known_hosts = '/etc/ssh_known_hosts' +else + ssh_known_hosts = '/etc/ssh/ssh_known_hosts' +end + +teardown do + puts "Restore the #{ssh_known_hosts} file" + agents.each do |agent| + # Is it present? + rc = on(agent, "[ -e /tmp/ssh_known_hosts ]", + :accept_all_exit_codes => true) + if rc.exit_code == 0 + # It's present, so restore the original + on(agent, "mv -fv /tmp/ssh_known_hosts #{ssh_known_hosts}", + :accept_all_exit_codes => true) + else + # It's missing, which means there wasn't one to backup; just + # delete the one we laid down + on(agent, "rm -fv #{ssh_known_hosts}", + :accept_all_exit_codes => true) + end + end +end + +#------- SETUP -------# +step "Backup #{ssh_known_hosts} file, if present" do + # The 'cp' might fail because the source file doesn't exist + on(agent, "cp -fv #{ssh_known_hosts} /tmp/ssh_known_hosts", + :acceptable_exit_codes => [0,1]) +end + +#------- TESTS -------# +step 'Verify that the default file is empty or non-existent' do + # Is it even there? + rc = on(agent, "[ ! -e #{ssh_known_hosts} ]", + :acceptable_exit_codes => [0, 1]) + if rc.exit_code == 1 + # If it's there, it should be empty + on(agent, "cat #{ssh_known_hosts}") do |res| + fail_test "Default #{ssh_known_hosts} file not empty" \ + unless stdout.empty? + end + end +end + +step "Add an sshkey to the default file" do + args = [ + "ensure=present", + "key=how_about_the_key_of_c", + "type=ssh-rsa", + ] + on(agent, puppet_resource("sshkey", "#{keyname}", args)) +end + +step 'Verify the new entry in the default file' do + on(agent, "cat #{ssh_known_hosts}") do |rc| + fail_test "Didn't find the ssh_known_host entry for #{keyname}" \ + unless stdout.include? "#{keyname}" + end +end + +end diff --git a/spec/default_facts.yml b/spec/default_facts.yml new file mode 100644 index 0000000..3248be5 --- /dev/null +++ b/spec/default_facts.yml @@ -0,0 +1,8 @@ +# Use default_module_facts.yml for module specific facts. +# +# Facts specified here will override the values provided by rspec-puppet-facts. +--- +concat_basedir: "/tmp" +ipaddress: "172.16.254.254" +is_pe: false +macaddress: "AA:AA:AA:AA:AA:AA" diff --git a/spec/fixtures/integration/provider/sshkey/sample b/spec/fixtures/integration/provider/sshkey/sample new file mode 100644 index 0000000..840ed19 --- /dev/null +++ b/spec/fixtures/integration/provider/sshkey/sample @@ -0,0 +1,21 @@ +hosting2.planetargon.com,64.34.164.77 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAy+f2t52cDMrYkgEKQ6juqfMf/a0nDFry3JAzl+SAWQ0gTklVxNcVbfHx2pkZk66EBGQfrK33Bx1BflZ/iEDyiCwmzVtNba0X9A6ELYjB9WSkWdIqZCfPlKZMu9N//aZ6+3SDVuz/BVFsAVmtqQ4Let2QjOFiSIKXrtPqWvVT/MM= +kirby.madstop.com,192.168.0.5 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAw9iHuAa/wepHoUzWqsvhQvSkpE4K7agrdLOWHM9mvyRQ2X3HVq5GqzAvWu4J+f0FvcLPwA9tivpxt1oSt5MOtvDM6HoM+8m3P4daBp0nlNaYR8/vHCAmX6N3RyM8FWfp+VqWyux1SooQwxYxVFy86G78ApTqNsZ+p7cHmnBYqk0= +fedora1,192.168.0.51 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAyz1rKcApU4//j8CHYKexq4qnq2WVqLPrZYGnlij1t7FscLiDVKvBuRHVkfyTNIjAM/t7tM1Dj+FuD4iWziCmf7RO9q4wI5y/1zgCiSUegnZVSmH2yxnWGMdHGpXOkN3NXcpy6jylxyBo0M7T22PSezCxyUVfMclesjOEO1jETd0= +kirby ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAw9iHuAa/wepHoUzWqsvhQvSkpE4K7agrdLOWHM9mvyRQ2X3HVq5GqzAvWu4J+f0FvcLPwA9tivpxt1oSt5MOtvDM6HoM+8m3P4daBp0nlNaYR8/vHCAmX6N3RyM8FWfp+VqWyux1SooQwxYxVFy86G78ApTqNsZ+p7cHmnBYqk0= +sol10b,192.168.0.50 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAs37kiDwKxWqi6EfSdKwRaZXBwh2doOARRqZzyitBaPwESy26DwTx+xdQ2rwB4V2k1WIec+1f3bgTS2ArH75dQSPyba2HKqxaSRBd3Zh4z23+uUxpupEyoRdW1HolMOvuoceheSMsruiuYcuiyct41d4c/Qmr51Dv04Doi00k6Ws= +piratehaven.org,64.81.59.88 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA7TYRRkle0wDNohZ0TNZN6R1Zp0svxgX+GJ9umI5yNM1bMxUTgeNRh5nIvZg1HgD1WRXQ57dSxxLzbvRyAqc245g6S8eWWCtenvOFLl0rOF5D3VxbQuw79sOe8/Ac8TC+c8RuWB7aaxpwL5Rv9xfDeazOtoKXj7+uwQW1PUmTaEM= +atalanta,192.168.0.10 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAysniuWiJH6OQLXl63XXcS1b/hP2lAgSz0IutjQ6ZUfBrt1BZ8udEgSh57w5QDLsZ1lNvND61u5cy6iDKXI5TIQY4DvUmsoFZhyr4iYJbtT/h6UJSyaZtEnA7ZMRjGhUIMOn+mjbj7Z3zmJMhxtImK3Xo3O2fJ1hnK4jsBwQPSLc= +pixie,192.168.0.9 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAzDp588CvET6w11LB2s/vPjc4tX9+u46iYJgNFfhzxrXYMVv4GF7d30IXB5+Hwyi2FOQIG1+h0kUXVGWEv64rAFBT7pD2KMFX0lcDERV4avqT0TRDIIA5OqFOhq9Ff+kOmHS2cB7eFyR5vqbN4ujOnJGTmru9dcqyL+2AcFekvh0= +culain,192.168.0.3 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvJ/IORhQMdAsJ7LB1sI2LlWUHc7HPTCDiEgJ96ij3jFvqaIiYieRFaNkxbbk75mPkj3vIqWIgAsAtHmKX4wDikNG/gyjs4WM4cWFKtl2jiVhqpoxqqCaVxs6Ex+vpKuKhQR6SzFBFDlBZYP9an6DPu1msTLT8/hZH2WwswVmpyU= +cs312-server.een.orst.edu,128.193.40.66 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA+t3hsOiyp1mztt013bLdJqIAFCo8lxlz86MYEPz/mADHzWLs3Xv7xpAUv/E8pRbhEOzXo84EddORRBXz6DgVyMah8+v/u3IOkpXuZI0Iu1n5hZyf2l5DGEyGecr3oqqjUdMuM9HeXFLnqXJI3hDE7civBtqf5AJSol+TCcipeE8= +freebsd1,192.168.0.52 ssh-dss AAAAB3NzaC1kc3MAAACBAJSiOyQhYlKAi0FDLKy42VzLDq6yJWXGXVCLSfgWyVx7QCq/3+W3C1dtHuAvjbypcjqqvsuGGITgQ1Y6B/+76n5d7FyQnj4SFZ5drOBn/TvslXhrS/Ok5KCcndfNAa+EyMnSZJ21jhoRjZftY4lmb4hy6fEF3RvjuOdf1qBN5FWpAAAAFQDcsWF0zELAW6YUlSjAyO0T0lfPbwAAAIAlOLdOd/WszzVaplCOnH5vF6LWfr6BosZKDkFi0mv6Ec636YGaj4AMxK8sRPusHv6sVByN17ntIJnLo2XD1SuoH28bZ0ZnPIdVnd0l1KqsOCuuow9LZYJUihezoUuYuTvij1jZdrwltuPNJTVLYtsZDnKE5plw+Tjzeb7ImjbXGwAAAIBT40olg3fxhRDiZECle0WK7GitgXCB3njs+4dba8VwveEJb9UuulMc1eR+zQiJR96IUBagC9NiLvUGS1IfiIHpT4FA8O/MK1W9SgxXB9d39Nk/9l8dH3U/fLnbC/hYVo8bN0or/mKxcxQMkdBwpPlWAbELRftod2BkkkvgfQdc+g== +192.168.0.2 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgwCZ+qxpMMRJ3otGsjaYeKTKf6tuCZyK1cD+ns9Eu7V0ZJLJ/LLMxduu7n4H/ufGI5rGV5axzgx8yZhjDRzsrGjLAQYsqlomMkf901YQI6UuieSA4MZa5MDkq/Jt6Vx1kEGTpkgrfw9kRMX5BngECt1QKY4xTgC7Ex+WlFvZwk+tRUT3 +openbsd1,192.168.0.54 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvgRVrtJk0fBg9YsLf7rWR1X32ZjFcva5XBvenDlHruObaHzuGXyyr6iOCAEOc7eCZjlPBYrGZ2potqyk8HlBOHXr1cCBf49t4yAt8KgKswtzWlgdbU1UEwllSRVOpzqULAT0smv/jfaIZdvRoN1rLriqtpn4bQL//ZOHiyXCwdlJ+di8Mza2L8KZ5T75hwIFBhrgL12xfymRp3v+Iy21MjjzsF3pROIkZ7icitNqQF55U9vsHaA37vG8FepVkO10bYYP7IHPZaBPBMPx7qPyRgRDJahEUGBnkIkzwJHEmA+7YMiNTZu6MigezD+CIqY1xOi/eXZwObLwLKXo7eRmpw== +192.168.0.60 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAufcvE7s1eRwhUwMBfZ6uFNxkdSdzjSDEn3vjByOjG/eraNhnYAW3rxV7WIf2pEa6JSOMrE1mqsEL75xEtpXlzC949Ysz4+1OSHY52KonoFm/a+FbmbFp81TVuVPYaLoeWN27STiJh+puC5spkIZe0laqT1GU13M4gj6B+j3NLhU= +rh3a,192.168.0.55 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAufcvE7s1eRwhUwMBfZ6uFNxkdSdzjSDEn3vjByOjG/eraNhnYAW3rxV7WIf2pEa6JSOMrE1mqsEL75xEtpXlzC949Ysz4+1OSHY52KonoFm/a+FbmbFp81TVuVPYaLoeWN27STiJh+puC5spkIZe0laqT1GU13M4gj6B+j3NLhU= +tsetse,192.168.0.7 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwCDGn82BEMSCfcE2LZKcwdAoyIBC+u2twVwWNRm3KzyrJMQ+RbTQo4AwGOdyr/QYh6KaxTKTSoDtiBLr132uenMQKwF47gCKMA1T47uiy+TBUehgOGwOxteSYP/pQRpKXFmhOppSPyDPQVq234XvANeJp0iT8ZKEhF2FsWTs6sM= +config.sage.org,131.106.3.205 ssh-dss AAAAB3NzaC1kc3MAAACBAL2akEcIfQsfm3zCd2hD6PgH3kWA/tqX/qbrLhL/ipX7iqK/y282GMClZQSQjc1YNi9virvLzb6u/gdZxicZ8K5O3FaJrULQJOZaP62SOHk5CUSHVnvpMCaCnbwB6gEHa2LeMWStcEfWW+g1CC2hzPJw16/S5GISGXbyanO02MnXAAAAFQDomwx/OCjTmmQljMTU5rgNn2E4gwAAAIBmtMSfcs2Tq5iFFKK5cahluv047vVNfXqYIAkeJniceL0Et16MKfuzadpq0H9ocxQYW/5Ir9nUULrdxBUN9LxNKq15/uWkJC9QCSh8PysgvFnjVZeCODua/dn6eZTZnY9DZ3S6v1pT8CP6uWr5fmZJ8FKJGrC3gYX4y1V1ZTCVewAAAIB6e7RCST6vkTS5rgn5wGbrfLK5ad+PW+2i66k77Zv1pjtfRz+0oejBjwJDPNVSc2YNEl7X0nEEMNjo/a5x8Ls+nVqhzJA+NXIwS1e/moKbXFGewW5HAtxd79gtInC8dEIO7hmnWnqF1dBkRHXg1YffYkHrMVJBxpzagw7nYa0BBQ== +rh3b,192.168.0.56 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAufcvE7s1eRwhUwMBfZ6uFNxkdSdzjSDEn3vjByOjG/eraNhnYAW3rxV7WIf2pEa6JSOMrE1mqsEL75xEtpXlzC949Ysz4+1OSHY52KonoFm/a+FbmbFp81TVuVPYaLoeWN27STiJh+puC5spkIZe0laqT1GU13M4gj6B+j3NLhU= +centos1,192.168.0.57 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0DXqYF+3Lf68GkWBAjjKBb6UITNnzm4wiDi/AGjv5+DoVXqDcqHvZ8rZFAMgUe1dVob4pWT2ZWLHW0gicoJCdr4UQbPXlWz1F62z8fo2PRRPlG6KN1wmF7pnyml8jr0wBX8lQZJsMqi4InGozf7wFHLH/7DNGRK3MD6tSp3Z4is= +doorstop.cafes.net,205.241.238.186 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApJKeB9/bN5t55zLETHs0MVo/vEkfQ3EzY7178GKLI/yiOFmcn+NvUvUtCQK/xKpod813LBHCODxZPG1Kb0SjlaC/EkFEenb74LNu0o1qXa1GWh3wfaIm0JRNjXqPqxAWTlMs43O2HXwOwmLVhl7SSP3xtTw6h9gREbVKmfBaRdsRfzD0etfz1NCnmGh/1Sh9+j4eeS+IBtwoR5JVhZVhuofHCqs5HZ8gLDgfn8HXP7pMbLkx54cf1R/tmFmn9JGLdTPtEGcSIiu7414XSbfChSC83rGZCDPKHq7ZodiE8GpbWLBnyPXi2AYxTPM7aZMqitIHv3MWf5suV0q0WLGdnQ== +host.domain.com,host1.domain.com,192.168.0.1 dss thisismykey1 diff --git a/spec/fixtures/unit/provider/sshkey/parsed/sample b/spec/fixtures/unit/provider/sshkey/parsed/sample new file mode 100644 index 0000000..840ed19 --- /dev/null +++ b/spec/fixtures/unit/provider/sshkey/parsed/sample @@ -0,0 +1,21 @@ +hosting2.planetargon.com,64.34.164.77 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAy+f2t52cDMrYkgEKQ6juqfMf/a0nDFry3JAzl+SAWQ0gTklVxNcVbfHx2pkZk66EBGQfrK33Bx1BflZ/iEDyiCwmzVtNba0X9A6ELYjB9WSkWdIqZCfPlKZMu9N//aZ6+3SDVuz/BVFsAVmtqQ4Let2QjOFiSIKXrtPqWvVT/MM= +kirby.madstop.com,192.168.0.5 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAw9iHuAa/wepHoUzWqsvhQvSkpE4K7agrdLOWHM9mvyRQ2X3HVq5GqzAvWu4J+f0FvcLPwA9tivpxt1oSt5MOtvDM6HoM+8m3P4daBp0nlNaYR8/vHCAmX6N3RyM8FWfp+VqWyux1SooQwxYxVFy86G78ApTqNsZ+p7cHmnBYqk0= +fedora1,192.168.0.51 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAyz1rKcApU4//j8CHYKexq4qnq2WVqLPrZYGnlij1t7FscLiDVKvBuRHVkfyTNIjAM/t7tM1Dj+FuD4iWziCmf7RO9q4wI5y/1zgCiSUegnZVSmH2yxnWGMdHGpXOkN3NXcpy6jylxyBo0M7T22PSezCxyUVfMclesjOEO1jETd0= +kirby ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAw9iHuAa/wepHoUzWqsvhQvSkpE4K7agrdLOWHM9mvyRQ2X3HVq5GqzAvWu4J+f0FvcLPwA9tivpxt1oSt5MOtvDM6HoM+8m3P4daBp0nlNaYR8/vHCAmX6N3RyM8FWfp+VqWyux1SooQwxYxVFy86G78ApTqNsZ+p7cHmnBYqk0= +sol10b,192.168.0.50 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAs37kiDwKxWqi6EfSdKwRaZXBwh2doOARRqZzyitBaPwESy26DwTx+xdQ2rwB4V2k1WIec+1f3bgTS2ArH75dQSPyba2HKqxaSRBd3Zh4z23+uUxpupEyoRdW1HolMOvuoceheSMsruiuYcuiyct41d4c/Qmr51Dv04Doi00k6Ws= +piratehaven.org,64.81.59.88 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA7TYRRkle0wDNohZ0TNZN6R1Zp0svxgX+GJ9umI5yNM1bMxUTgeNRh5nIvZg1HgD1WRXQ57dSxxLzbvRyAqc245g6S8eWWCtenvOFLl0rOF5D3VxbQuw79sOe8/Ac8TC+c8RuWB7aaxpwL5Rv9xfDeazOtoKXj7+uwQW1PUmTaEM= +atalanta,192.168.0.10 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAysniuWiJH6OQLXl63XXcS1b/hP2lAgSz0IutjQ6ZUfBrt1BZ8udEgSh57w5QDLsZ1lNvND61u5cy6iDKXI5TIQY4DvUmsoFZhyr4iYJbtT/h6UJSyaZtEnA7ZMRjGhUIMOn+mjbj7Z3zmJMhxtImK3Xo3O2fJ1hnK4jsBwQPSLc= +pixie,192.168.0.9 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAzDp588CvET6w11LB2s/vPjc4tX9+u46iYJgNFfhzxrXYMVv4GF7d30IXB5+Hwyi2FOQIG1+h0kUXVGWEv64rAFBT7pD2KMFX0lcDERV4avqT0TRDIIA5OqFOhq9Ff+kOmHS2cB7eFyR5vqbN4ujOnJGTmru9dcqyL+2AcFekvh0= +culain,192.168.0.3 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvJ/IORhQMdAsJ7LB1sI2LlWUHc7HPTCDiEgJ96ij3jFvqaIiYieRFaNkxbbk75mPkj3vIqWIgAsAtHmKX4wDikNG/gyjs4WM4cWFKtl2jiVhqpoxqqCaVxs6Ex+vpKuKhQR6SzFBFDlBZYP9an6DPu1msTLT8/hZH2WwswVmpyU= +cs312-server.een.orst.edu,128.193.40.66 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA+t3hsOiyp1mztt013bLdJqIAFCo8lxlz86MYEPz/mADHzWLs3Xv7xpAUv/E8pRbhEOzXo84EddORRBXz6DgVyMah8+v/u3IOkpXuZI0Iu1n5hZyf2l5DGEyGecr3oqqjUdMuM9HeXFLnqXJI3hDE7civBtqf5AJSol+TCcipeE8= +freebsd1,192.168.0.52 ssh-dss AAAAB3NzaC1kc3MAAACBAJSiOyQhYlKAi0FDLKy42VzLDq6yJWXGXVCLSfgWyVx7QCq/3+W3C1dtHuAvjbypcjqqvsuGGITgQ1Y6B/+76n5d7FyQnj4SFZ5drOBn/TvslXhrS/Ok5KCcndfNAa+EyMnSZJ21jhoRjZftY4lmb4hy6fEF3RvjuOdf1qBN5FWpAAAAFQDcsWF0zELAW6YUlSjAyO0T0lfPbwAAAIAlOLdOd/WszzVaplCOnH5vF6LWfr6BosZKDkFi0mv6Ec636YGaj4AMxK8sRPusHv6sVByN17ntIJnLo2XD1SuoH28bZ0ZnPIdVnd0l1KqsOCuuow9LZYJUihezoUuYuTvij1jZdrwltuPNJTVLYtsZDnKE5plw+Tjzeb7ImjbXGwAAAIBT40olg3fxhRDiZECle0WK7GitgXCB3njs+4dba8VwveEJb9UuulMc1eR+zQiJR96IUBagC9NiLvUGS1IfiIHpT4FA8O/MK1W9SgxXB9d39Nk/9l8dH3U/fLnbC/hYVo8bN0or/mKxcxQMkdBwpPlWAbELRftod2BkkkvgfQdc+g== +192.168.0.2 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgwCZ+qxpMMRJ3otGsjaYeKTKf6tuCZyK1cD+ns9Eu7V0ZJLJ/LLMxduu7n4H/ufGI5rGV5axzgx8yZhjDRzsrGjLAQYsqlomMkf901YQI6UuieSA4MZa5MDkq/Jt6Vx1kEGTpkgrfw9kRMX5BngECt1QKY4xTgC7Ex+WlFvZwk+tRUT3 +openbsd1,192.168.0.54 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvgRVrtJk0fBg9YsLf7rWR1X32ZjFcva5XBvenDlHruObaHzuGXyyr6iOCAEOc7eCZjlPBYrGZ2potqyk8HlBOHXr1cCBf49t4yAt8KgKswtzWlgdbU1UEwllSRVOpzqULAT0smv/jfaIZdvRoN1rLriqtpn4bQL//ZOHiyXCwdlJ+di8Mza2L8KZ5T75hwIFBhrgL12xfymRp3v+Iy21MjjzsF3pROIkZ7icitNqQF55U9vsHaA37vG8FepVkO10bYYP7IHPZaBPBMPx7qPyRgRDJahEUGBnkIkzwJHEmA+7YMiNTZu6MigezD+CIqY1xOi/eXZwObLwLKXo7eRmpw== +192.168.0.60 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAufcvE7s1eRwhUwMBfZ6uFNxkdSdzjSDEn3vjByOjG/eraNhnYAW3rxV7WIf2pEa6JSOMrE1mqsEL75xEtpXlzC949Ysz4+1OSHY52KonoFm/a+FbmbFp81TVuVPYaLoeWN27STiJh+puC5spkIZe0laqT1GU13M4gj6B+j3NLhU= +rh3a,192.168.0.55 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAufcvE7s1eRwhUwMBfZ6uFNxkdSdzjSDEn3vjByOjG/eraNhnYAW3rxV7WIf2pEa6JSOMrE1mqsEL75xEtpXlzC949Ysz4+1OSHY52KonoFm/a+FbmbFp81TVuVPYaLoeWN27STiJh+puC5spkIZe0laqT1GU13M4gj6B+j3NLhU= +tsetse,192.168.0.7 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwCDGn82BEMSCfcE2LZKcwdAoyIBC+u2twVwWNRm3KzyrJMQ+RbTQo4AwGOdyr/QYh6KaxTKTSoDtiBLr132uenMQKwF47gCKMA1T47uiy+TBUehgOGwOxteSYP/pQRpKXFmhOppSPyDPQVq234XvANeJp0iT8ZKEhF2FsWTs6sM= +config.sage.org,131.106.3.205 ssh-dss AAAAB3NzaC1kc3MAAACBAL2akEcIfQsfm3zCd2hD6PgH3kWA/tqX/qbrLhL/ipX7iqK/y282GMClZQSQjc1YNi9virvLzb6u/gdZxicZ8K5O3FaJrULQJOZaP62SOHk5CUSHVnvpMCaCnbwB6gEHa2LeMWStcEfWW+g1CC2hzPJw16/S5GISGXbyanO02MnXAAAAFQDomwx/OCjTmmQljMTU5rgNn2E4gwAAAIBmtMSfcs2Tq5iFFKK5cahluv047vVNfXqYIAkeJniceL0Et16MKfuzadpq0H9ocxQYW/5Ir9nUULrdxBUN9LxNKq15/uWkJC9QCSh8PysgvFnjVZeCODua/dn6eZTZnY9DZ3S6v1pT8CP6uWr5fmZJ8FKJGrC3gYX4y1V1ZTCVewAAAIB6e7RCST6vkTS5rgn5wGbrfLK5ad+PW+2i66k77Zv1pjtfRz+0oejBjwJDPNVSc2YNEl7X0nEEMNjo/a5x8Ls+nVqhzJA+NXIwS1e/moKbXFGewW5HAtxd79gtInC8dEIO7hmnWnqF1dBkRHXg1YffYkHrMVJBxpzagw7nYa0BBQ== +rh3b,192.168.0.56 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAufcvE7s1eRwhUwMBfZ6uFNxkdSdzjSDEn3vjByOjG/eraNhnYAW3rxV7WIf2pEa6JSOMrE1mqsEL75xEtpXlzC949Ysz4+1OSHY52KonoFm/a+FbmbFp81TVuVPYaLoeWN27STiJh+puC5spkIZe0laqT1GU13M4gj6B+j3NLhU= +centos1,192.168.0.57 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0DXqYF+3Lf68GkWBAjjKBb6UITNnzm4wiDi/AGjv5+DoVXqDcqHvZ8rZFAMgUe1dVob4pWT2ZWLHW0gicoJCdr4UQbPXlWz1F62z8fo2PRRPlG6KN1wmF7pnyml8jr0wBX8lQZJsMqi4InGozf7wFHLH/7DNGRK3MD6tSp3Z4is= +doorstop.cafes.net,205.241.238.186 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApJKeB9/bN5t55zLETHs0MVo/vEkfQ3EzY7178GKLI/yiOFmcn+NvUvUtCQK/xKpod813LBHCODxZPG1Kb0SjlaC/EkFEenb74LNu0o1qXa1GWh3wfaIm0JRNjXqPqxAWTlMs43O2HXwOwmLVhl7SSP3xtTw6h9gREbVKmfBaRdsRfzD0etfz1NCnmGh/1Sh9+j4eeS+IBtwoR5JVhZVhuofHCqs5HZ8gLDgfn8HXP7pMbLkx54cf1R/tmFmn9JGLdTPtEGcSIiu7414XSbfChSC83rGZCDPKHq7ZodiE8GpbWLBnyPXi2AYxTPM7aZMqitIHv3MWf5suV0q0WLGdnQ== +host.domain.com,host1.domain.com,192.168.0.1 dss thisismykey1 diff --git a/spec/fixtures/unit/provider/sshkey/parsed/sample_with_blank_lines b/spec/fixtures/unit/provider/sshkey/parsed/sample_with_blank_lines new file mode 100644 index 0000000..02535df --- /dev/null +++ b/spec/fixtures/unit/provider/sshkey/parsed/sample_with_blank_lines @@ -0,0 +1,8 @@ +# A comment + +# ... and another after a blank line. The following line includes three whitespace characters. + +hosting2.planetargon.com,64.34.164.77 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAy+f2t52cDMrYkgEKQ6juqfMf/a0nDFry3JAzl+SAWQ0gTklVxNcVbfHx2pkZk66EBGQfrK33Bx1BflZ/ iEDyiCwmzVtNba0X9A6ELYjB9WSkWdIqZCfPlKZMu9N//aZ6+3SDVuz/BVFsAVmtqQ4Let2QjOFiSIKXrtPqWvVT/MM= + +will.isawesome.com,192.168.0.5 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAw9iHuAa/wepHoUzWqsvhQvSkpE4K7agrdLOWHM9mvyRQ2X3HVq5GqzAvWu4J+f0FvcLPwA9tivpxt1oSt5MOtvDM6HoM+8m3P4daBp0nlNaYR8/vHCAmX6N3RyM8FWfp+VqWyux1SooQwxYxVFy86G78ApTqNsZ+p7cHmnBYqk0= +will.isgreat.com,192.168.0.6 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAw9iHuAa/wepHoUzWqsvhQvSkpE4K7agrdLOWHM9mvyRQ2X3HVq5GqzAvWu4J+f0FvcLPwA9tivpxt1oSt5MOtvDM6HoM+8m3P4daBp0nlNaYR8/vHCAmX6N3RyM8FWfp+VqWyux1SooQwxYxVFy86G78ApTqNsZ+p7cHmnBasd= diff --git a/spec/integration/provider/ssh_authorized_key_spec.rb b/spec/integration/provider/ssh_authorized_key_spec.rb new file mode 100644 index 0000000..14af2de --- /dev/null +++ b/spec/integration/provider/ssh_authorized_key_spec.rb @@ -0,0 +1,219 @@ +#! /usr/bin/env ruby + +require 'spec_helper' +require 'puppet/file_bucket/dipper' + +describe Puppet::Type.type(:ssh_authorized_key).provider(:parsed), '(integration)', :unless => Puppet.features.microsoft_windows? do + include PuppetSpec::Files + + let :fake_userfile do + tmpfile('authorized_keys.user') + end + + let :fake_rootfile do + tmpfile('authorized_keys.root') + end + + let :sample_rsa_keys do + [ + 'AAAAB3NzaC1yc2EAAAADAQABAAAAgQCi18JBZOq10X3w4f67nVhO0O3s5Y1vHH4UgMSM3ZnQwbC5hjGyYSi9UULOoQQoQynI/a0I9NL423/Xk/XJVIKCHcS8q6V2Wmjd+fLNelOjxxoW6mbIytEt9rDvwgq3Mof3/m21L3t2byvegR00a+ikKbmInPmKwjeWZpexCIsHzQ==', # 1024 bit + 'AAAAB3NzaC1yc2EAAAADAQABAAAAgQDLClyvi3CsJw5Id6khZs2/+s11qOH4Gdp6iDioDsrIp0m8kSiPr71VGyQYAfPzzvHemHS7Xg0NkG1Kc8u9tRqBQfTvz7ubq0AT/g01+4P2hQ/soFkuwlUG/HVnnaYb6N0Qp5SHWvD5vBE2nFFQVpP5GrSctPtHSjzJq/i+6LYhmQ==', # 1024 bit + 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDLygAO6txXkh9FNV8xSsBkATeqLbHzS7sFjGI3gt0Dx6q3LjyKwbhQ1RLf28kd5G6VWiXmClU/RtiPdUz8nrGuun++2mrxzrXrvpR9dq1lygLQ2wn2cI35dN5bjRMtXy3decs6HUhFo9MoNwX250rUWfdCyNPhGIp6OOfmjdy+UeLGNxq9wDx6i4bT5tVVSqVRtsEfw9+ICXchzl85QudjneVVpP+thriPZXfXA5eaGwAo/dmoKOIhUwF96gpdLqzNtrGQuxPbV80PTbGv9ZtAtTictxaDz8muXO7he9pXmchUpxUKtMFjHkL0FAZ9tRPmv3RA30sEr2fZ8+LKvnE50w0' #2048 Bit + ] + end + + let :sample_dsa_keys do + [ + 'AAAAB3NzaC1kc3MAAACBAOPck2O8MIDSqxPSnvENt6tzRrKJ5oOhB6Nc6oEcWm+VEH1gvuxdiRqwoMgRwyEf1yUd+UAcLw3a6Jn+EtFyEBN/5WF+4Tt4xTxZ0Pfik2Wc5uqHbQ2dkmOoXiAOYPiD3JUQ1Xwm/J0CgetjitoLfzAGdCNhMqguqAuHcVJ78ZZbAAAAFQCIBKFYZ+I18I+dtgteirXh+VVEEwAAAIEAs1yvQ/wnLLrRCM660pF4kBiw3D6dJfMdCXWQpn0hZmkBQSIzZv4Wuk3giei5luxscDxNc+y3CTXtnyG4Kt1Yi2sOdvhRI3rX8tD+ejn8GHazM05l5VIo9uu4AQPIE32iV63IqgApSBbJ6vDJW91oDH0J492WdLCar4BS/KE3cRwAAACBAN0uSDyJqYLRsfYcFn4HyVf6TJxQm1IcwEt6GcJVzgjri9VtW7FqY5iBqa9B9Zdh5XXAYJ0XLsWQCcrmMHM2XGHGpA4gL9VlCJ/0QvOcXxD2uK7IXwAVUA7g4V4bw8EVnFv2Flufozhsp+4soo1xiYc5jiFVHwVlk21sMhAtKAeF' # 1024 Bit + ] + end + + let :sample_lines do + [ + "ssh-rsa #{sample_rsa_keys[1]} root@someotherhost", + "ssh-dss #{sample_dsa_keys[0]} root@anywhere", + "ssh-rsa #{sample_rsa_keys[2]} paul", + "ssh-rsa #{sample_rsa_keys[2]} dummy" + ] + end + + let :dummy do + Puppet::Type.type(:ssh_authorized_key).new( + :name => 'dummy', + :target => fake_userfile, + :user => 'nobody', + :ensure => :absent + ) + end + + before :each do + File.stubs(:chown) + File.stubs(:chmod) + Puppet::Util::SUIDManager.stubs(:asuser).yields + end + + after :each do + described_class.clear # Work around bug #6628 + end + + def create_fake_key(username, content) + filename = (username == :root ? fake_rootfile : fake_userfile ) + File.open(filename, 'w') do |f| + content.each do |line| + f.puts line + end + end + end + + def check_fake_key(username, expected_content) + filename = (username == :root ? fake_rootfile : fake_userfile ) + content = File.readlines(filename).map(&:chomp).sort.reject{ |x| x =~ /^# HEADER:/ } + expect(content.join("\n")).to eq(expected_content.sort.join("\n")) + end + + def run_in_catalog(*resources) + Puppet::FileBucket::Dipper.any_instance.stubs(:backup) # Don't backup to the filebucket + catalog = Puppet::Resource::Catalog.new + catalog.host_config = false + resources.each do |resource| + resource.expects(:err).never + catalog.add_resource(resource) + end + catalog.apply + end + + it "should not complain about empty lines and comments" do + described_class.expects(:flush).never + sample = ['',sample_lines[0],' ',sample_lines[1],'# just a comment','#and another'] + create_fake_key(:user,sample) + run_in_catalog(dummy) + check_fake_key(:user, sample) + end + + it "should keep empty lines and comments when modifying a file" do + create_fake_key(:user, ['',sample_lines[0],' ',sample_lines[3],'# just a comment','#and another']) + run_in_catalog(dummy) + check_fake_key(:user, ['',sample_lines[0],' ','# just a comment','#and another']) + end + + describe "when managing one resource" do + + describe "with ensure set to absent" do + let :resource do + Puppet::Type.type(:ssh_authorized_key).new( + :name => 'root@hostname', + :type => :rsa, + :key => sample_rsa_keys[0], + :target => fake_rootfile, + :user => 'root', + :ensure => :absent + ) + end + + it "should not modify root's keyfile if resource is currently not present" do + create_fake_key(:root, sample_lines) + run_in_catalog(resource) + check_fake_key(:root, sample_lines) + end + + it "remove the key from root's keyfile if resource is currently present" do + create_fake_key(:root, sample_lines + ["ssh-rsa #{sample_rsa_keys[0]} root@hostname"]) + run_in_catalog(resource) + check_fake_key(:root, sample_lines) + end + end + + describe "when ensure is present" do + let :resource do + Puppet::Type.type(:ssh_authorized_key).new( + :name => 'root@hostname', + :type => :rsa, + :key => sample_rsa_keys[0], + :target => fake_rootfile, + :user => 'root', + :ensure => :present + ) + end + + # just a dummy so the parsedfile provider is aware + # of the user's authorized_keys file + + it "should add the key if it is not present" do + create_fake_key(:root, sample_lines) + run_in_catalog(resource) + check_fake_key(:root, sample_lines + ["ssh-rsa #{sample_rsa_keys[0]} root@hostname" ]) + end + + it "should modify the type if type is out of sync" do + create_fake_key(:root,sample_lines + [ "ssh-dss #{sample_rsa_keys[0]} root@hostname" ]) + run_in_catalog(resource) + check_fake_key(:root, sample_lines + [ "ssh-rsa #{sample_rsa_keys[0]} root@hostname" ]) + end + + it "should modify the key if key is out of sync" do + create_fake_key(:root,sample_lines + [ "ssh-rsa #{sample_rsa_keys[1]} root@hostname" ]) + run_in_catalog(resource) + check_fake_key(:root, sample_lines + [ "ssh-rsa #{sample_rsa_keys[0]} root@hostname" ]) + end + + it "should remove the key from old file if target is out of sync" do + create_fake_key(:user, [ sample_lines[0], "ssh-rsa #{sample_rsa_keys[0]} root@hostname" ]) + create_fake_key(:root, [ sample_lines[1], sample_lines[2] ]) + run_in_catalog(resource, dummy) + check_fake_key(:user, [ sample_lines[0] ]) + #check_fake_key(:root, [ sample_lines[1], sample_lines[2], "ssh-rsa #{sample_rsa_keys[0]} root@hostname" ]) + end + + it "should add the key to new file if target is out of sync" do + create_fake_key(:user, [ sample_lines[0], "ssh-rsa #{sample_rsa_keys[0]} root@hostname" ]) + create_fake_key(:root, [ sample_lines[1], sample_lines[2] ]) + run_in_catalog(resource, dummy) + #check_fake_key(:user, [ sample_lines[0] ]) + check_fake_key(:root, [ sample_lines[1], sample_lines[2], "ssh-rsa #{sample_rsa_keys[0]} root@hostname" ]) + end + + it "should modify options if options are out of sync" do + resource[:options]=[ 'from="*.domain1,host1.domain2"', 'no-port-forwarding', 'no-pty' ] + create_fake_key(:root, sample_lines + [ "from=\"*.false,*.false2\",no-port-forwarding,no-pty ssh-rsa #{sample_rsa_keys[0]} root@hostname"]) + run_in_catalog(resource) + check_fake_key(:root, sample_lines + [ "from=\"*.domain1,host1.domain2\",no-port-forwarding,no-pty ssh-rsa #{sample_rsa_keys[0]} root@hostname"] ) + end + end + end + + describe "when managing two resource" do + let :examples do + resources = [] + resources << Puppet::Type.type(:ssh_authorized_key).new( + :name => 'root@hostname', + :type => :rsa, + :key => sample_rsa_keys[0], + :target => fake_rootfile, + :user => 'root', + :ensure => :present + ) + resources << Puppet::Type.type(:ssh_authorized_key).new( + :name => 'user@hostname', + :key => sample_rsa_keys[1], + :type => :rsa, + :target => fake_userfile, + :user => 'nobody', + :ensure => :present + ) + resources + end + + describe "and both keys are absent" do + before :each do + create_fake_key(:root, sample_lines) + create_fake_key(:user, sample_lines) + end + + it "should add both keys" do + run_in_catalog(*examples) + check_fake_key(:root, sample_lines + [ "ssh-rsa #{sample_rsa_keys[0]} root@hostname" ]) + check_fake_key(:user, sample_lines + [ "ssh-rsa #{sample_rsa_keys[1]} user@hostname" ]) + end + end + end +end diff --git a/spec/integration/provider/sshkey_spec.rb b/spec/integration/provider/sshkey_spec.rb new file mode 100644 index 0000000..f461460 --- /dev/null +++ b/spec/integration/provider/sshkey_spec.rb @@ -0,0 +1,159 @@ +#!/usr/bin/env ruby + +require 'spec_helper' +require 'puppet/file_bucket/dipper' +require 'puppet_spec/files' +require 'puppet_spec/compiler' + +describe Puppet::Type.type(:sshkey).provider(:parsed), '(integration)', + :unless => Puppet.features.microsoft_windows? do + include PuppetSpec::Files + include PuppetSpec::Compiler + + before :each do + # Don't backup to filebucket + Puppet::FileBucket::Dipper.any_instance.stubs(:backup) + # We don't want to execute anything + described_class.stubs(:filetype). + returns Puppet::Util::FileType::FileTypeFlat + + @sshkey_file = tmpfile('sshkey_integration_specs') + FileUtils.cp(my_fixture('sample'), @sshkey_file) + end + + after :each do + # sshkey provider class + described_class.clear + end + + let(:type_under_test) { 'sshkey' } + + describe "when managing a ssh known hosts file it..." do + + let(:super_unique) { "my.super.unique.host" } + it "should create a new known_hosts file with mode 0644" do + target = tmpfile('ssh_known_hosts') + manifest = "#{type_under_test} { '#{super_unique}': + ensure => 'present', + type => 'rsa', + key => 'TESTKEY', + target => '#{target}' }" + apply_with_error_check(manifest) + expect_file_mode(target, "644") + end + + it "should create an SSH host key entry (ensure present)" do + manifest = "#{type_under_test} { '#{super_unique}': + ensure => 'present', + type => 'rsa', + key => 'mykey', + target => '#{@sshkey_file}' }" + apply_with_error_check(manifest) + expect(File.read(@sshkey_file)).to match(/#{super_unique}.*mykey/) + end + + let(:sshkey_name) { 'kirby.madstop.com' } + it "should delete an entry for an SSH host key" do + manifest = "#{type_under_test} { '#{sshkey_name}': + ensure => 'absent', + target => '#{@sshkey_file}' }" + apply_with_error_check(manifest) + expect(File.read(@sshkey_file)).not_to match(/#{sshkey_name}.*Yqk0=/) + end + + it "should update an entry for an SSH host key" do + manifest = "#{type_under_test} { '#{sshkey_name}': + ensure => 'present', + type => 'rsa', + key => 'mynewshinykey', + target => '#{@sshkey_file}' }" + apply_with_error_check(manifest) + expect(File.read(@sshkey_file)).to match(/#{sshkey_name}.*mynewshinykey/) + expect(File.read(@sshkey_file)).not_to match(/#{sshkey_name}.*Yqk0=/) + end + + # test all key types + types = ["ssh-dss", "dsa", + "ssh-ed25519", "ed25519", + "ssh-rsa", "rsa", + "ecdsa-sha2-nistp256", + "ecdsa-sha2-nistp384", + "ecdsa-sha2-nistp521"] + # these types are treated as aliases for sshkey <ahem> type + # so they are populated as the *values* below + aliases = {"dsa" => "ssh-dss", + "ed25519" => "ssh-ed25519", + "rsa" => "ssh-rsa"} + types.each do |type| + it "should update an entry with #{type} type" do + manifest = "#{type_under_test} { '#{sshkey_name}': + ensure => 'present', + type => '#{type}', + key => 'mynewshinykey', + target => '#{@sshkey_file}' }" + + apply_with_error_check(manifest) + if aliases.has_key?(type) + full_type = aliases[type] + expect(File.read(@sshkey_file)). + to match(/#{sshkey_name}.*#{full_type}.*mynew/) + else + expect(File.read(@sshkey_file)). + to match(/#{sshkey_name}.*#{type}.*mynew/) + end + end + end + + # test unknown key type fails + let(:invalid_type) { 'ssh-er0ck' } + it "should raise an error with an unknown type" do + manifest = "#{type_under_test} { '#{sshkey_name}': + ensure => 'present', + type => '#{invalid_type}', + key => 'mynewshinykey', + target => '#{@sshkey_file}' }" + expect { + apply_compiled_manifest(manifest) + }.to raise_error(Puppet::ResourceError, /Invalid value "#{invalid_type}"/) + end + + #single host_alias + let(:host_alias) { 'r0ckdata.com' } + it "should update an entry with new host_alias" do + manifest = "#{type_under_test} { '#{sshkey_name}': + ensure => 'present', + host_aliases => '#{host_alias}', + target => '#{@sshkey_file}' }" + apply_with_error_check(manifest) + expect(File.read(@sshkey_file)).to match(/#{sshkey_name},#{host_alias}\s/) + expect(File.read(@sshkey_file)).not_to match(/#{sshkey_name}\s/) + end + + #array host_alias + let(:host_aliases) { "r0ckdata.com,erict.net" } + it "should update an entry with new host_alias" do + manifest = "#{type_under_test} { '#{sshkey_name}': + ensure => 'present', + host_aliases => '#{host_alias}', + target => '#{@sshkey_file}' }" + apply_with_error_check(manifest) + expect(File.read(@sshkey_file)).to match(/#{sshkey_name},#{host_alias}\s/) + expect(File.read(@sshkey_file)).not_to match(/#{sshkey_name}\s/) + end + + #puppet resource sshkey + it "should fetch an entry from resources" do + @resource_app = Puppet::Application[:resource] + @resource_app.preinit + @resource_app.command_line.stubs(:args). + returns([type_under_test, sshkey_name, "target=#{@sshkey_file}"]) + + @resource_app.expects(:puts).with do |args| + expect(args).to match(/#{sshkey_name}/) + end + @resource_app.main + end + + end + +end diff --git a/spec/lib/puppet_spec/compiler.rb b/spec/lib/puppet_spec/compiler.rb new file mode 100644 index 0000000..8964a26 --- /dev/null +++ b/spec/lib/puppet_spec/compiler.rb @@ -0,0 +1,112 @@ +module PuppetSpec::Compiler + module_function + + def compile_to_catalog(string, node = Puppet::Node.new('test')) + Puppet[:code] = string + # see lib/puppet/indirector/catalog/compiler.rb#filter + Puppet::Parser::Compiler.compile(node).filter { |r| r.virtual? } + end + + # Does not removed virtual resources in compiled catalog (i.e. keeps unrealized) + def compile_to_catalog_unfiltered(string, node = Puppet::Node.new('test')) + Puppet[:code] = string + # see lib/puppet/indirector/catalog/compiler.rb#filter + Puppet::Parser::Compiler.compile(node) + end + + def compile_to_ral(manifest, node = Puppet::Node.new('test')) + catalog = compile_to_catalog(manifest, node) + ral = catalog.to_ral + ral.finalize + ral + end + + def compile_to_relationship_graph(manifest, prioritizer = Puppet::Graph::SequentialPrioritizer.new) + ral = compile_to_ral(manifest) + graph = Puppet::Graph::RelationshipGraph.new(prioritizer) + graph.populate_from(ral) + graph + end + + def apply_compiled_manifest(manifest, prioritizer = Puppet::Graph::SequentialPrioritizer.new) + catalog = compile_to_ral(manifest) + if block_given? + catalog.resources.each { |res| yield res } + end + transaction = Puppet::Transaction.new(catalog, + Puppet::Transaction::Report.new, + prioritizer) + transaction.evaluate + transaction.report.finalize_report + + transaction + end + + def apply_with_error_check(manifest) + apply_compiled_manifest(manifest) do |res| + res.expects(:err).never + end + end + + def order_resources_traversed_in(relationships) + order_seen = [] + relationships.traverse { |resource| order_seen << resource.ref } + order_seen + end + + def collect_notices(code, node = Puppet::Node.new('foonode')) + Puppet[:code] = code + compiler = Puppet::Parser::Compiler.new(node) + node.environment.check_for_reparse + logs = [] + Puppet::Util::Log.with_destination(Puppet::Test::LogCollector.new(logs)) do + yield(compiler) + end + logs = logs.select { |log| log.level == :notice }.map { |log| log.message } + logs + end + + def eval_and_collect_notices(code, node = Puppet::Node.new('foonode'), topscope_vars = {}) + collect_notices(code, node) do |compiler| + unless topscope_vars.empty? + scope = compiler.topscope + topscope_vars.each {|k,v| scope.setvar(k, v) } + end + if block_given? + compiler.compile do |catalog| + yield(compiler.topscope, catalog) + catalog + end + else + compiler.compile + end + end + end + + # Compiles a catalog, and if source is given evaluates it and returns its result. + # The catalog is returned if no source is given. + # Topscope variables are set before compilation + # Uses a created node 'testnode' if none is given. + # (Parameters given by name) + # + def evaluate(code: 'undef', source: nil, node: Puppet::Node.new('testnode'), variables: {}) + source_location = caller[0] + Puppet[:code] = code + compiler = Puppet::Parser::Compiler.new(node) + unless variables.empty? + scope = compiler.topscope + variables.each {|k,v| scope.setvar(k, v) } + end + + if source.nil? + compiler.compile + # see lib/puppet/indirector/catalog/compiler.rb#filter + return compiler.filter { |r| r.virtual? } + end + + # evaluate given source is the context of the compiled state and return its result + compiler.compile do |catalog | + Puppet::Pops::Parser::EvaluatingParser.singleton.evaluate_string(compiler.topscope, source, source_location) + end + end +end diff --git a/spec/lib/puppet_spec/files.rb b/spec/lib/puppet_spec/files.rb new file mode 100644 index 0000000..a6529f6 --- /dev/null +++ b/spec/lib/puppet_spec/files.rb @@ -0,0 +1,126 @@ +require 'fileutils' +require 'tempfile' +require 'tmpdir' +require 'pathname' + +# A support module for testing files. +module PuppetSpec::Files + @global_tempfiles = [] + + def self.cleanup + until @global_tempfiles.empty? + path = @global_tempfiles.pop + begin + Dir.unstub(:entries) + FileUtils.rm_rf path, secure: true + rescue Errno::ENOENT # rubocop:disable Lint/HandleExceptions + # nothing to do + end + end + end + + def make_absolute(path) + PuppetSpec::Files.make_absolute(path) + end + + def self.make_absolute(path) + path = File.expand_path(path) + path[0] = 'c' if Puppet.features.microsoft_windows? + path + end + + def tmpfile(name, dir = nil) + PuppetSpec::Files.tmpfile(name, dir) + end + + def self.tmpfile(name, dir = nil) + # Generate a temporary file, just for the name... + source = dir ? Tempfile.new(name, dir) : Tempfile.new(name) + path = Puppet::FileSystem.expand_path(source.path.encode(Encoding::UTF_8)) + source.close! + + record_tmp(File.expand_path(path)) + + path + end + + def file_containing(name, contents) + PuppetSpec::Files.file_containing(name, contents) + end + + def self.file_containing(name, contents) + file = tmpfile(name) + File.open(file, 'wb') { |f| f.write(contents) } + file + end + + def script_containing(name, contents) + PuppetSpec::Files.script_containing(name, contents) + end + + def self.script_containing(name, contents) + file = tmpfile(name) + if Puppet.features.microsoft_windows? + file += '.bat' + text = contents[:windows] + else + text = contents[:posix] + end + File.open(file, 'wb') { |f| f.write(text) } + Puppet::FileSystem.chmod(0o755, file) + file + end + + def tmpdir(name) + PuppetSpec::Files.tmpdir(name) + end + + def self.tmpdir(name) + dir = Puppet::FileSystem.expand_path(Dir.mktmpdir(name).encode!(Encoding::UTF_8)) + + record_tmp(dir) + + dir + end + + def dir_containing(name, contents_hash) + PuppetSpec::Files.dir_containing(name, contents_hash) + end + + def self.dir_containing(name, contents_hash) + dir_contained_in(tmpdir(name), contents_hash) + end + + def dir_contained_in(dir, contents_hash) + PuppetSpec::Files.dir_contained_in(dir, contents_hash) + end + + def self.dir_contained_in(dir, contents_hash) + contents_hash.each do |k, v| + if v.is_a?(Hash) + Dir.mkdir(tmp = File.join(dir, k)) + dir_contained_in(tmp, v) + else + file = File.join(dir, k) + File.open(file, 'wb') { |f| f.write(v) } + end + end + dir + end + + def self.record_tmp(tmp) + # ...record it for cleanup, + @global_tempfiles ||= [] + @global_tempfiles << tmp + end + + def expect_file_mode(file, mode) + actual_mode = '%o' % Puppet::FileSystem.stat(file).mode + target_mode = if Puppet.features.microsoft_windows? + mode + else + '10' + '%04i' % mode.to_i + end + expect(actual_mode).to eq(target_mode) + end +end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb new file mode 100644 index 0000000..e69d11d --- /dev/null +++ b/spec/spec_helper.rb @@ -0,0 +1,45 @@ + +require 'puppetlabs_spec_helper/module_spec_helper' +require 'rspec-puppet-facts' + +begin + require 'spec_helper_local' if File.file?(File.join(File.dirname(__FILE__), 'spec_helper_local.rb')) +rescue LoadError => loaderror + warn "Could not require spec_helper_local: #{loaderror.message}" +end + +include RspecPuppetFacts + +default_facts = { + puppetversion: Puppet.version, + facterversion: Facter.version, +} + +default_facts_path = File.expand_path(File.join(File.dirname(__FILE__), 'default_facts.yml')) +default_module_facts_path = File.expand_path(File.join(File.dirname(__FILE__), 'default_module_facts.yml')) + +if File.exist?(default_facts_path) && File.readable?(default_facts_path) + default_facts.merge!(YAML.safe_load(File.read(default_facts_path))) +end + +if File.exist?(default_module_facts_path) && File.readable?(default_module_facts_path) + default_facts.merge!(YAML.safe_load(File.read(default_module_facts_path))) +end + +RSpec.configure do |c| + c.default_facts = default_facts + c.before :each do + # set to strictest setting for testing + # by default Puppet runs at warning level + Puppet.settings[:strict] = :warning + end +end + +def ensure_module_defined(module_name) + module_name.split('::').reduce(Object) do |last_module, next_module| + last_module.const_set(next_module, Module.new) unless last_module.const_defined?(next_module) + last_module.const_get(next_module) + end +end + +# 'spec_overrides' from sync.yml will appear below this line diff --git a/spec/spec_helper_local.rb b/spec/spec_helper_local.rb new file mode 100644 index 0000000..fc786a6 --- /dev/null +++ b/spec/spec_helper_local.rb @@ -0,0 +1,17 @@ +dir = File.expand_path(File.dirname(__FILE__)) +$LOAD_PATH.unshift File.join(dir, 'lib') + +# Container for various Puppet-specific RSpec helpers. +module PuppetSpec +end + +require 'puppet_spec/files' + +RSpec.configure do |config| + config.before :each do |test| + base = PuppetSpec::Files.tmpdir('tmp_settings') + Puppet[:vardir] = File.join(base, 'var') + + FileUtils.mkdir_p Puppet[:statedir] + end +end
\ No newline at end of file diff --git a/spec/unit/provider/sshkey/parsed_spec.rb b/spec/unit/provider/sshkey/parsed_spec.rb new file mode 100644 index 0000000..38aa7f7 --- /dev/null +++ b/spec/unit/provider/sshkey/parsed_spec.rb @@ -0,0 +1,93 @@ +#! /usr/bin/env ruby +require 'spec_helper' + +describe "sshkey parsed provider" do + let :type do Puppet::Type.type(:sshkey) end + let :provider do type.provider(:parsed) end + subject { provider } + + after :each do + subject.clear + end + + def key + 'AAAAB3NzaC1yc2EAAAABIwAAAQEAzwHhxXvIrtfIwrudFqc8yQcIfMudrgpnuh1F3AV6d2BrLgu/yQE7W5UyJMUjfj427sQudRwKW45O0Jsnr33F4mUw+GIMlAAmp9g24/OcrTiB8ZUKIjoPy/cO4coxGi8/NECtRzpD/ZUPFh6OEpyOwJPMb7/EC2Az6Otw4StHdXUYw22zHazBcPFnv6zCgPx1hA7QlQDWTu4YcL0WmTYQCtMUb3FUqrcFtzGDD0ytosgwSd+JyN5vj5UwIABjnNOHPZ62EY1OFixnfqX/+dUwrFSs5tPgBF/KkC6R7tmbUfnBON6RrGEmu+ajOTOLy23qUZB4CQ53V7nyAWhzqSK+hw==' + end + + it "should parse the name from the first field" do + expect(subject.parse_line('test ssh-rsa '+key)[:name]).to eq("test") + end + + it "should parse the first component of the first field as the name" do + expect(subject.parse_line('test,alias ssh-rsa '+key)[:name]).to eq("test") + end + + it "should parse host_aliases from the remaining components of the first field" do + expect(subject.parse_line('test,alias ssh-rsa '+key)[:host_aliases]).to eq(["alias"]) + end + + it "should parse multiple host_aliases" do + expect(subject.parse_line('test,alias1,alias2,alias3 ssh-rsa '+key)[:host_aliases]).to eq(["alias1","alias2","alias3"]) + end + + it "should not drop an empty host_alias" do + expect(subject.parse_line('test,alias, ssh-rsa '+key)[:host_aliases]).to eq(["alias",""]) + end + + it "should recognise when there are no host aliases" do + expect(subject.parse_line('test ssh-rsa '+key)[:host_aliases]).to eq([]) + end + + context "with the sample file" do + ['sample', 'sample_with_blank_lines'].each do |sample_file| + let :fixture do my_fixture(sample_file) end + before :each do subject.stubs(:default_target).returns(fixture) end + + it "should parse to records on prefetch" do + expect(subject.target_records(fixture)).to be_empty + subject.prefetch + + records = subject.target_records(fixture) + expect(records).to be_an Array + expect(records).to be_all {|x| expect(x).to be_an Hash } + end + + it "should reconstitute the file from records" do + subject.prefetch + records = subject.target_records(fixture) + text = subject.to_file(records).gsub(/^# HEADER.+\n/, '') + + oldlines = File.readlines(fixture).map(&:chomp) + newlines = text.chomp.split("\n") + expect(oldlines.length).to eq(newlines.length) + + oldlines.zip(newlines).each do |old, new| + expect(old.gsub(/\s+/, '')).to eq(new.gsub(/\s+/, '')) + end + end + end + end + + context 'default ssh_known_hosts target path' do + ['9.10', '9.11', '10.10'].each do |version| + it 'should be `/etc/ssh_known_hosts` when OSX version 10.10 or older`' do + Facter.expects(:value).with(:operatingsystem).returns('Darwin') + Facter.expects(:value).with(:macosx_productversion_major).returns(version) + expect(subject.default_target).to eq('/etc/ssh_known_hosts') + end + end + + ['10.11', '10.13', '11.0', '11.11'].each do |version| + it 'should be `/etc/ssh/ssh_known_hosts` when OSX version 10.11 or newer`' do + Facter.expects(:value).with(:operatingsystem).returns('Darwin') + Facter.expects(:value).with(:macosx_productversion_major).returns(version) + expect(subject.default_target).to eq('/etc/ssh/ssh_known_hosts') + end + end + + it 'should be `/etc/ssh/ssh_known_hosts` on other operating systems' do + Facter.expects(:value).with(:operatingsystem).returns('RedHat') + expect(subject.default_target).to eq('/etc/ssh/ssh_known_hosts') + end + end +end diff --git a/spec/unit/type/ssh_authorized_key_spec.rb b/spec/unit/type/ssh_authorized_key_spec.rb new file mode 100644 index 0000000..ae93667 --- /dev/null +++ b/spec/unit/type/ssh_authorized_key_spec.rb @@ -0,0 +1,258 @@ +#! /usr/bin/env ruby +require 'spec_helper' + + +describe Puppet::Type.type(:ssh_authorized_key), :unless => Puppet.features.microsoft_windows? do + include PuppetSpec::Files + + before do + provider_class = stub 'provider_class', :name => "fake", :suitable? => true, :supports_parameter? => true + described_class.stubs(:defaultprovider).returns(provider_class) + described_class.stubs(:provider).returns(provider_class) + + provider = stub 'provider', :class => provider_class, :file_path => make_absolute("/tmp/whatever"), :clear => nil + provider_class.stubs(:new).returns(provider) + end + + it "has :name as its namevar" do + expect(described_class.key_attributes).to eq [:name] + end + + describe "when validating attributes" do + + [:name, :provider].each do |param| + it "has a #{param} parameter" do + expect(described_class.attrtype(param)).to eq :param + end + end + + [:type, :key, :user, :target, :options, :ensure].each do |property| + it "has a #{property} property" do + expect(described_class.attrtype(property)).to eq :property + end + end + + end + + describe "when validating values" do + + describe "for name" do + + it "supports valid names" do + described_class.new(:name => "username", :ensure => :present, :user => "nobody") + described_class.new(:name => "username@hostname", :ensure => :present, :user => "nobody") + end + + it "supports whitespace" do + described_class.new(:name => "my test", :ensure => :present, :user => "nobody") + end + + end + + describe "for ensure" do + + it "supports :present" do + described_class.new(:name => "whev", :ensure => :present, :user => "nobody") + end + + it "supports :absent" do + described_class.new(:name => "whev", :ensure => :absent, :user => "nobody") + end + + it "nots support other values" do + expect { described_class.new(:name => "whev", :ensure => :foo, :user => "nobody") }.to raise_error(Puppet::Error, /Invalid value/) + end + + end + + describe "for type" do + + [ + :'ssh-dss', :dsa, + :'ssh-rsa', :rsa, + :'ecdsa-sha2-nistp256', + :'ecdsa-sha2-nistp384', + :'ecdsa-sha2-nistp521', + :ed25519, :'ssh-ed25519', + ].each do |keytype| + it "supports #{keytype}" do + described_class.new(:name => "whev", :type => keytype, :user => "nobody") + end + end + + it "aliases :rsa to :ssh-rsa" do + key = described_class.new(:name => "whev", :type => :rsa, :user => "nobody") + expect(key.should(:type)).to eq :'ssh-rsa' + end + + it "aliases :dsa to :ssh-dss" do + key = described_class.new(:name => "whev", :type => :dsa, :user => "nobody") + expect(key.should(:type)).to eq :'ssh-dss' + end + + it "doesn't support values other than ssh-dss, ssh-rsa, dsa, rsa" do + expect { described_class.new(:name => "whev", :type => :something) }.to raise_error(Puppet::Error,/Invalid value/) + end + + end + + describe "for key" do + + it "supports a valid key like a 1024 bit rsa key" do + expect { described_class.new(:name => "whev", :type => :rsa, :user => "nobody", :key => 'AAAAB3NzaC1yc2EAAAADAQABAAAAgQDCPfzW2ry7XvMc6E5Kj2e5fF/YofhKEvsNMUogR3PGL/HCIcBlsEjKisrY0aYgD8Ikp7ZidpXLbz5dBsmPy8hJiBWs5px9ZQrB/EOQAwXljvj69EyhEoGawmxQMtYw+OAIKHLJYRuk1QiHAMHLp5piqem8ZCV2mLb9AsJ6f7zUVw==')}.to_not raise_error + end + + it "supports a valid key like a 4096 bit rsa key" do + expect { described_class.new(:name => "whev", :type => :rsa, :user => "nobody", :key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDEY4pZFyzSfRc9wVWI3DfkgT/EL033UZm/7x1M+d+lBD00qcpkZ6CPT7lD3Z+vylQlJ5S8Wcw6C5Smt6okZWY2WXA9RCjNJMIHQbJAzwuQwgnwU/1VMy9YPp0tNVslg0sUUgpXb13WW4mYhwxyGmIVLJnUrjrQmIFhtfHsJAH8ZVqCWaxKgzUoC/YIu1u1ScH93lEdoBPLlwm6J0aiM7KWXRb7Oq1nEDZtug1zpX5lhgkQWrs0BwceqpUbY+n9sqeHU5e7DCyX/yEIzoPRW2fe2Gx1Iq6JKM/5NNlFfaW8rGxh3Z3S1NpzPHTRjw8js3IeGiV+OPFoaTtM1LsWgPDSBlzIdyTbSQR7gKh0qWYCNV/7qILEfa0yIFB5wIo4667iSPZw2pNgESVtenm8uXyoJdk8iWQ4mecdoposV/znknNb2GPgH+n/2vme4btZ0Sl1A6rev22GQjVgbWOn8zaDglJ2vgCN1UAwmq41RXprPxENGeLnWQppTnibhsngu0VFllZR5kvSIMlekLRSOFLFt92vfd+tk9hZIiKm9exxcbVCGGQPsf6dZ27rTOmg0xM2Sm4J6RRKuz79HQgA4Eg18+bqRP7j/itb89DmtXEtoZFAsEJw8IgIfeGGDtHTkfAlAC92mtK8byeaxGq57XCTKbO/r5gcOMElZHy1AcB8kw==')}.to_not raise_error + end + + it "supports a valid key like a 1024 bit dsa key" do + expect { described_class.new(:name => "whev", :type => :dsa, :user => "nobody", :key => 'AAAAB3NzaC1kc3MAAACBAI80iR78QCgpO4WabVqHHdEDigOjUEHwIjYHIubR/7u7DYrXY+e+TUmZ0CVGkiwB/0yLHK5dix3Y/bpj8ZiWCIhFeunnXccOdE4rq5sT2V3l1p6WP33RpyVYbLmeuHHl5VQ1CecMlca24nHhKpfh6TO/FIwkMjghHBfJIhXK+0w/AAAAFQDYzLupuMY5uz+GVrcP+Kgd8YqMmwAAAIB3SVN71whLWjFPNTqGyyIlMy50624UfNOaH4REwO+Of3wm/cE6eP8n75vzTwQGBpJX3BPaBGW1S1Zp/DpTOxhCSAwZzAwyf4WgW7YyAOdxN3EwTDJZeyiyjWMAOjW9/AOWt9gtKg0kqaylbMHD4kfiIhBzo31ZY81twUzAfN7angAAAIBfva8sTSDUGKsWWIXkdbVdvM4X14K4gFdy0ZJVzaVOtZ6alysW6UQypnsl6jfnbKvsZ0tFgvcX/CPyqNY/gMR9lyh/TCZ4XQcbqeqYPuceGehz+jL5vArfqsW2fJYFzgCcklmr/VxtP5h6J/T0c9YcDgc/xIfWdZAlznOnphI/FA==')}.to_not raise_error + end + + it "doesn't support whitespaces" do + expect { described_class.new(:name => "whev", :type => :rsa, :user => "nobody", :key => 'AAA FA==')}.to raise_error(Puppet::Error,/Key must not contain whitespace/) + end + + end + + describe "for options" do + + it "supports flags as options" do + expect { described_class.new(:name => "whev", :type => :rsa, :user => "nobody", :options => 'cert-authority')}.to_not raise_error + expect { described_class.new(:name => "whev", :type => :rsa, :user => "nobody", :options => 'no-port-forwarding')}.to_not raise_error + end + + it "supports key-value pairs as options" do + expect { described_class.new(:name => "whev", :type => :rsa, :user => "nobody", :options => 'command="command"')}.to_not raise_error + end + + it "supports key-value pairs where value consist of multiple items" do + expect { described_class.new(:name => "whev", :type => :rsa, :user => "nobody", :options => 'from="*.domain1,host1.domain2"')}.to_not raise_error + end + + it "supports environments as options" do + expect { described_class.new(:name => "whev", :type => :rsa, :user => "nobody", :options => 'environment="NAME=value"')}.to_not raise_error + end + + it "supports multiple options as an array" do + expect { described_class.new(:name => "whev", :type => :rsa, :user => "nobody", :options => ['cert-authority','environment="NAME=value"'])}.to_not raise_error + end + + it "doesn't support a comma separated list" do + expect { described_class.new(:name => "whev", :type => :rsa, :user => "nobody", :options => 'cert-authority,no-port-forwarding')}.to raise_error(Puppet::Error, /must be provided as an array/) + end + + it "uses :absent as a default value" do + expect(described_class.new(:name => "whev", :type => :rsa, :user => "nobody").should(:options)).to eq [:absent] + end + + it "property should return well formed string of arrays from is_to_s" do + resource = described_class.new(:name => "whev", :type => :rsa, :user => "nobody", :options => ["a","b","c"]) + expect(resource.property(:options).is_to_s(["a","b","c"])).to eq "['a', 'b', 'c']" + end + + it "property should return well formed string of arrays from should_to_s" do + resource = described_class.new(:name => "whev", :type => :rsa, :user => "nobody", :options => ["a","b","c"]) + expect(resource.property(:options).should_to_s(["a","b","c"])).to eq "['a', 'b', 'c']" + end + + end + + describe "for user" do + + it "supports present users" do + described_class.new(:name => "whev", :type => :rsa, :user => "root") + end + + it "supports absent users" do + described_class.new(:name => "whev", :type => :rsa, :user => "ihopeimabsent") + end + + end + + describe "for target" do + + it "supports absolute paths" do + described_class.new(:name => "whev", :type => :rsa, :target => "/tmp/here") + end + + it "uses the user's path if not explicitly specified" do + expect(described_class.new(:name => "whev", :user => 'root').should(:target)).to eq File.expand_path("~root/.ssh/authorized_keys") + end + + it "doesn't consider the user's path if explicitly specified" do + expect(described_class.new(:name => "whev", :user => 'root', :target => '/tmp/here').should(:target)).to eq '/tmp/here' + end + + it "informs about an absent user" do + Puppet::Log.level = :debug + described_class.new(:name => "whev", :user => 'idontexist').should(:target) + expect(@logs.map(&:message)).to include("The required user is not yet present on the system") + end + + end + + end + + describe "when neither user nor target is specified" do + + it "raises an error" do + expect do + described_class.new( + :name => "Test", + :key => "AAA", + :type => "ssh-rsa", + :ensure => :present) + end.to raise_error(Puppet::Error,/user.*or.*target.*mandatory/) + end + + end + + describe "when both target and user are specified" do + + it "uses target" do + resource = described_class.new( + :name => "Test", + :user => "root", + :target => "/tmp/blah" + ) + expect(resource.should(:target)).to eq "/tmp/blah" + end + + end + + + describe "when user is specified" do + + it "determines target" do + resource = described_class.new( + :name => "Test", + :user => "root" + ) + target = File.expand_path("~root/.ssh/authorized_keys") + expect(resource.should(:target)).to eq target + end + + # Bug #2124 - ssh_authorized_key always changes target if target is not defined + it "doesn't raise spurious change events" do + resource = described_class.new(:name => "Test", :user => "root") + target = File.expand_path("~root/.ssh/authorized_keys") + expect(resource.property(:target).safe_insync?(target)).to eq true + end + + end + + describe "when calling validate" do + + it "doesn't crash on a non-existent user" do + resource = described_class.new( + :name => "Test", + :user => "ihopesuchuserdoesnotexist" + ) + resource.validate + end + + end + +end diff --git a/spec/unit/type/sshkey_spec.rb b/spec/unit/type/sshkey_spec.rb new file mode 100644 index 0000000..d16e595 --- /dev/null +++ b/spec/unit/type/sshkey_spec.rb @@ -0,0 +1,77 @@ +#! /usr/bin/env ruby +require 'spec_helper' + + +describe Puppet::Type.type(:sshkey) do + + it "uses :name as its namevar" do + expect(described_class.key_attributes).to eq [:name] + end + + describe "when validating attributes" do + [:name, :provider].each do |param| + it "has a #{param} parameter" do + expect(described_class.attrtype(param)).to eq :param + end + end + + [:host_aliases, :ensure, :key, :type].each do |property| + it "has a #{property} property" do + expect(described_class.attrtype(property)).to eq :property + end + end + end + + describe "when validating values" do + + [ + :'ssh-dss', :dsa, + :'ssh-rsa', :rsa, + :'ecdsa-sha2-nistp256', + :'ecdsa-sha2-nistp384', + :'ecdsa-sha2-nistp521', + :'ssh-ed25519', :ed25519, + ].each do |keytype| + it "supports #{keytype} as a type value" do + described_class.new(:name => "foo", :type => keytype) + end + end + + it "aliases :rsa to :ssh-rsa" do + key = described_class.new(:name => "foo", :type => :rsa) + expect(key.should(:type)).to eq :'ssh-rsa' + end + + it "aliases :dsa to :ssh-dss" do + key = described_class.new(:name => "foo", :type => :dsa) + expect(key.should(:type)).to eq :'ssh-dss' + end + + it "doesn't support values other than ssh-dss, ssh-rsa, dsa, rsa for type" do + expect { + described_class.new(:name => "whev", :type => :'ssh-dsa') + }.to raise_error(Puppet::Error, /Invalid value.*ssh-dsa/) + end + + it "accepts one host_alias" do + described_class.new(:name => "foo", :host_aliases => 'foo.bar.tld') + end + + it "accepts multiple host_aliases as an array" do + described_class.new(:name => "foo", :host_aliases => ['foo.bar.tld','10.0.9.9']) + end + + it "doesn't accept spaces in any host_alias" do + expect { + described_class.new(:name => "foo", :host_aliases => ['foo.bar.tld','foo bar']) + }.to raise_error(Puppet::Error, /cannot include whitespace/) + end + + it "doesn't accept aliases in the resourcename" do + expect { + described_class.new(:name => 'host,host.domain,ip') + }.to raise_error(Puppet::Error, /No comma in resourcename/) + end + + end +end |