Ori.livneh has uploaded a new change for review.
https://gerrit.wikimedia.org/r/173353
Change subject: keyholder: add /etc/keyholder.d and `keyholder arm` subcommand
......................................................................
keyholder: add /etc/keyholder.d and `keyholder arm` subcommand
* Make it easier to get the file permissions right when provisioning a private
key for use with keyholder by having an /etc/keyholder.d directory that is
owned by root:keyholder and has mode 0750 and by having a
keyholder::private_key resource that provisions private key files there.
* Add a `keyholder arm` subcommand that adds keys in /etc/keyholder.d to the
agent.
Change-Id: Ia8da897db1e2a54926f8eaec0984b7b925dc6fea
---
M manifests/role/deployment.pp
M modules/keyholder/files/keyholder
M modules/keyholder/manifests/init.pp
A modules/keyholder/manifests/private_key.pp
4 files changed, 92 insertions(+), 18 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/53/173353/1
diff --git a/manifests/role/deployment.pp b/manifests/role/deployment.pp
index 4ca9376..0b60416 100644
--- a/manifests/role/deployment.pp
+++ b/manifests/role/deployment.pp
@@ -151,11 +151,8 @@
trusted_group => 'wikidev',
}
- file { '/root/.ssh/mwdeploy_rsa':
+ keyholder::private_key { 'mwdeploy_rsa':
source => 'puppet:///private/ssh/tin/mwdeploy_rsa',
- owner => 'root',
- group => 'keyholder',
- mode => '0440',
}
}
diff --git a/modules/keyholder/files/keyholder
b/modules/keyholder/files/keyholder
index 97de949..df724e5 100755
--- a/modules/keyholder/files/keyholder
+++ b/modules/keyholder/files/keyholder
@@ -11,6 +11,9 @@
keyholder add KEY
Add a private key identity to the agent
+ keyholder arm
+ Add all keys in /etc/keyholder.d
+
keyholder clear
Deletes all identities from the agent
@@ -20,25 +23,37 @@
exit 1
}
+is_valid_private_key() {
+ # Check that $1 is a passphrase-protected private key file.
+ [ -f "$1" ] && /usr/bin/openssl rsa -in "$1" -check -pubout -passin pass:
2>&1 | \
+ /bin/grep -q "bad password"
+}
+
command=$1; shift
case "$command" in
status)
- for service in agent proxy; do
- /sbin/status "keyholder-${service}" || continue
- [ -r "/run/keyholder/${service}.sock" ] || continue
- SSH_AUTH_SOCK="/run/keyholder/${service}.sock" /usr/bin/ssh-add -l
| sed 's/^/- /'
- done
- ;;
+ for service in agent proxy; do
+ /sbin/status "keyholder-${service}" || continue
+ [ -r "/run/keyholder/${service}.sock" ] || continue
+ SSH_AUTH_SOCK="/run/keyholder/${service}.sock" /usr/bin/ssh-add -l |
sed 's/^/- /'
+ done
+ ;;
add)
- SSH_AUTH_SOCK=/run/keyholder/agent.sock /usr/bin/sudo -u keyholder -E
/usr/bin/ssh-add "$@"
- ;;
+ SSH_AUTH_SOCK=/run/keyholder/agent.sock /usr/bin/sudo -u keyholder -E
/usr/bin/ssh-add "$@"
+ ;;
+ arm)
+ for key in /etc/keyholder.d/*; do
+ is_valid_private_key "$key" || continue
+ $0 add "$key"
+ done
+ ;;
clear)
- SSH_AUTH_SOCK=/run/keyholder/agent.sock /usr/bin/sudo -u keyholder -E
/usr/bin/ssh-add -D
- ;;
+ SSH_AUTH_SOCK=/run/keyholder/agent.sock /usr/bin/sudo -u keyholder -E
/usr/bin/ssh-add -D
+ ;;
start|stop|restart)
- "/sbin/${command}" keyholder-agent
- ;;
+ "/sbin/${command}" keyholder-agent
+ ;;
*)
- show_usage
- ;;
+ show_usage
+ ;;
esac
diff --git a/modules/keyholder/manifests/init.pp
b/modules/keyholder/manifests/init.pp
index 2384781..ecdf26d 100644
--- a/modules/keyholder/manifests/init.pp
+++ b/modules/keyholder/manifests/init.pp
@@ -69,6 +69,16 @@
mode => '0755',
}
+ file { '/etc/keyholder.d':
+ ensure => directory,
+ owner => 'keyholder',
+ group => 'keyholder',
+ mode => '0750',
+ recurse => true,
+ purge => true,
+ force => true,
+ }
+
file { '/usr/local/bin/ssh-agent-proxy':
source => 'puppet:///modules/keyholder/ssh-agent-proxy',
owner => 'root',
diff --git a/modules/keyholder/manifests/private_key.pp
b/modules/keyholder/manifests/private_key.pp
new file mode 100644
index 0000000..b562e5d
--- /dev/null
+++ b/modules/keyholder/manifests/private_key.pp
@@ -0,0 +1,52 @@
+# == Define: keyholder::private_key
+#
+# Provisions a private key file in /etc/keyholder.d.
+#
+# === Parameters
+#
+# [*ensure*]
+# If 'present', config will be enabled; if 'absent', disabled.
+# The default is 'present'.
+#
+# [*content*]
+# If defined, will be used as the content of the key file.
+# Undefined by default. Mutually exclusive with 'source'.
+#
+# [*source*]
+# Path to key file. Undefined by default.
+# Mutually exclusive with 'content'.
+#
+# === Examples
+#
+# keyholder::private_key { 'mwdeploy_rsa':
+# ensure => present,
+# source => 'puppet:///private/ssh/tin/mwdeploy_rsa',
+# }
+#
+define keyholder::private_key(
+ $ensure = present,
+ $content = undef,
+ $source = undef,
+) {
+ validate_ensure($ensure)
+
+ if $source == undef and $content == undef {
+ fail('you must provide either "source" or "content"')
+ }
+ if $source != undef and $content != undef {
+ fail('"source" and "content" are mutually exclusive')
+ }
+
+ include ::keyholder
+
+ $title_safe = regsubst($title, '\W', '_', 'G')
+
+ file { "/etc/keyholder.d/${title_safe}":
+ ensure => $ensure,
+ content => $content,
+ source => $source,
+ owner => 'root',
+ group => 'keyholder',
+ mode => '0440',
+ }
+}
--
To view, visit https://gerrit.wikimedia.org/r/173353
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ia8da897db1e2a54926f8eaec0984b7b925dc6fea
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ori.livneh <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
