external/sshkeys/manifests/setup_key_master.pp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

# Create/regenerate/remove a key pair on the keymaster.
# This definition is private, i.e. it is not intended to be called
# directly by users. sshkeys::create_key calls it to create virtual
# keys, which are realized in sshkeys::keymaster.
define sshkeys::setup_key_master (
  $ensure,
  $force,
  $keytype,
  $length,
  $maxdays,
  $mindate
) {
  include sshkeys::var
  Exec { path => "/usr/bin:/usr/sbin:/bin:/sbin" }
  File {
    owner => puppet,
    group => puppet,
    mode  => '0600',
  }

  $keydir = "${sshkeys::var::keymaster_storage}/${title}"
  $keyfile = "${keydir}/key"

  file {
    "${keydir}":
      ensure => directory,
      mode   => '0644';
    "${keyfile}":
      ensure => $ensure;
    "${keyfile}.pub":
      ensure => $ensure,
      mode   => '0644';
  }

  if $ensure == "present" {

    # Remove the existing key pair, if
    # * $force is true, or
    # * $maxdays or $mindate criteria aren't met, or
    # * $keytype or $length have changed

    $keycontent = file("${keyfile}.pub", "/dev/null")
    if $keycontent {

      if $force {
        $reason = "force=true"
      }
      if !$reason and $mindate and
        generate("/usr/bin/find", $keyfile, "!", "-newermt", "${mindate}") {
        $reason = "created before ${mindate}"
      }
      if !$reason and $maxdays and
        generate("/usr/bin/find", $keyfile, "-mtime", "+${maxdays}") {
        $reason = "older than ${maxdays} days"
      }
      if !$reason and $keycontent =~ /^ssh-... [^ ]+ (...) (\d+)$/ {
        if $keytype != $1 {
          $reason = "keytype changed: ${1} -> ${keytype}"
        } else {
          if $length != $2 {
            $reason = "length changed: ${2} -> ${length}"
          }
        }
      }
      if $reason {
        exec { "Revoke previous key ${title}: ${reason}":
          command => "rm ${keyfile} ${keyfile}.pub",
          before  => Exec["Create key ${title}: ${keytype}, ${length} bits"],
        }
      }
    }

    # Create the key pair.
    # We "repurpose" the comment field in public keys on the keymaster to
    # store data about the key, i.e. $keytype and $length.  This avoids
    # having to rerun ssh-keygen -l on every key at every run to determine
    # the key length.
    exec { "Create key ${title}: ${keytype}, ${length} bits":
      command => "ssh-keygen -t ${keytype} -b ${length} -f ${keyfile} -C \"${keytype} ${length}\" -N \"\"",
      user    => "puppet",
      group   => "puppet",
      creates => $keyfile,
      require => File[$keydir],
      before  => File[$keyfile, "${keyfile}.pub"],
    }
  }
}