(PUP-11380) Ignore authorized key purging if home doesn't exist yet

joshcooper · joshcooper · commit ce9a6fd01b0e · 2021-12-14T15:21:59.000-08:00
It wasn't possible to create a user and specifiy "purge_ssh_keys => true" or an explicit path because the user type relies on "generate" to create "ssh_authorized_keys" resources with "ensure" set to "absent". Ideally we would use "eval_generate" to ensure the user is created and its home directory exists before resolving the path to authorized keys. However, that's blocked on PUP-2718. This commit instead ignores the purge logic if the user's home dir doesn't exist and "purge_ssh_keys" depends on the home dir to resolve the authorized_key path. That happens in the case of purge_ssh_keys=true or set to a string or array, where the entry starts with ~/ or %h/. (cherry picked from commit e88f896)
diff --git a/lib/puppet/type/user.rb b/lib/puppet/type/user.rb
@@ -746,20 +746,40 @@ def generate
       munge do |value|
         # Resolve string, boolean and symbol forms of true and false to a
         # single representation.
-        test_sym = value.to_s.intern
-        value = test_sym if [:true, :false].include? test_sym
+        case value
+        when :false, false, "false"
+          []
+        when :true, true, "true"
+          home = homedir
+          home ? [ "#{home}/.ssh/authorized_keys" ] : []
+        else
+          # value can be a string or array - munge each value
+          [ value ].flatten.map do |entry|
+            authorized_keys_path(entry)
+          end.compact
+        end
+      end
 
-        return [] if value == :false
-        home = resource[:home] || Dir.home(resource[:name])
+      private
 
-        return [ "#{home}/.ssh/authorized_keys" ] if value == :true
-        # value is an array - munge each value
-        [ value ].flatten.map do |entry|
-          # make sure frozen value is duplicated by using a gsub, second mutating gsub! is then ok
-          entry = entry.gsub(/^~\//, "#{home}/")
-          entry.gsub!(/^%h\//, "#{home}/")
-          entry
-        end
+      def homedir
+        resource[:home] || Dir.home(resource[:name])
+      rescue ArgumentError
+        Puppet.debug("User '#{resource[:name]}' does not exist")
+        nil
+      end
+
+      def authorized_keys_path(entry)
+        return entry unless entry.match?(%r{^(?:~|%h)/})
+
+        # if user doesn't exist (yet), ignore nonexistent homedir
+        home = homedir
+        return nil unless home
+
+        # compiler freezes "value" so duplicate using a gsub, second mutating gsub! is then ok
+        entry = entry.gsub(%r{^~/}, "#{home}/")
+        entry.gsub!(%r{^%h/}, "#{home}/")
+        entry
       end
     end
 
