From 674216d0ade377e023ca2382a7ad14a98f6f946a Mon Sep 17 00:00:00 2001
From: Alexander Weidinger <aw@sz9i.net>
Date: Fri, 3 Mar 2017 14:17:41 +0100
Subject: [PATCH] openssh.auth_map

---
 README.rst           |  7 +++++++
 openssh/auth_map.sls | 33 +++++++++++++++++++++++++++++++++
 pillar.example       | 13 +++++++++++++
 3 files changed, 53 insertions(+)
 create mode 100644 openssh/auth_map.sls

diff --git a/README.rst b/README.rst
index 0b52709..86a551e 100644
--- a/README.rst
+++ b/README.rst
@@ -23,6 +23,13 @@ Installs the ``openssh`` server package and service.
 
 Manages SSH certificates for users.
 
+``openssh.auth_map``
+-----------
+
+Same functionality as openssh.auth but with a simplified Pillar syntax.
+Plays nicely with `Pillarstack
+<https://docs.saltstack.com/en/latest/ref/pillar/all/salt.pillar.stack.html>`_.
+
 ``openssh.banner``
 ------------------
 
diff --git a/openssh/auth_map.sls b/openssh/auth_map.sls
new file mode 100644
index 0000000..2cd5870
--- /dev/null
+++ b/openssh/auth_map.sls
@@ -0,0 +1,33 @@
+include:
+  - openssh
+
+{%  from "openssh/map.jinja" import openssh with context -%}
+{%- set openssh_pillar = salt["pillar.get"]("openssh", {}) -%}
+{%- set authorized_keys_file = salt["pillar.get"]("sshd_config:AuthorizedKeysFile", None) %}
+
+{%- for store, config in salt["pillar.get"]("openssh:auth_map", {}).iteritems() %}
+{%- set store_base = config["source"] %}
+# SSH store openssh:auth_map:{{ store }}
+{%-   for user, keys in config.get("users", {}).iteritems() %}
+{%-     for key, key_cfg in keys.iteritems() %}
+"ssh_auth--{{ store }}--{{ user }}--{{ key }}":
+{%-       set present = key_cfg.get("present", True) %}
+{%-       set options = key_cfg.get("options", []) %}
+{%-       if present %}
+  ssh_auth.present:
+    - require:
+      - service: {{ openssh.service }}
+{%-       else %}
+  ssh_auth.absent:
+{%-       endif %}
+    - user: {{ user }}
+    - source: {{ store_base }}/{{ key }}.pub
+{%-       if authorized_keys_file %}
+    - config: "{{ authorized_keys_file }}"
+{%-       endif %}
+{%-       if options %}
+    - options: "{{ options }}"
+{%-       endif %}
+{%-     endfor %}
+{%-   endfor %}
+{%- endfor %}
diff --git a/pillar.example b/pillar.example
index 39d9934..36a51c2 100644
--- a/pillar.example
+++ b/pillar.example
@@ -166,6 +166,19 @@ openssh:
         enc: ssh-rsa
         comment: obsolete key - removed
         source: salt://ssh_keys/joe.no-valid.pub
+  # Maps users to source files
+  # Designed to play nice with ext_pillar
+  # salt.states.ssh_auth: If source is set, comment and enc will be ignored
+  auth_map:
+    personal_keys:  # store name
+      source: salt://ssh_keys
+      users:
+        joe:
+          joe.desktop: {}
+          joe.netbook:
+            options: []  # see salt.states.ssh_auth.present
+          joe.no-valid:
+            present: False
 
   generate_dsa_keys: False
   absent_dsa_keys: False