From 2492b853bac0522b9413d1f37d91d63741c5b60c Mon Sep 17 00:00:00 2001
From: Tim Meusel <tim@bastelfreak.de>
Date: Tue, 7 May 2024 09:52:18 +0200
Subject: [PATCH] usermanagement: prohibit empty ssh keys

previously we allowed ssh keys as empty strings `''`. This doesn't make
sense and breaks the `accounts_ssh_authorized_keys_line_parser()`
function.
---
 REFERENCE.md                                                | 6 +++---
 .../functions/accounts_ssh_authorized_keys_line_parser.rb   | 2 +-
 manifests/key_management.pp                                 | 4 ++--
 manifests/manage_keys.pp                                    | 2 +-
 manifests/user.pp                                           | 2 +-
 .../accounts_ssh_authorized_keys_line_parser_spec.rb        | 2 +-
 6 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/REFERENCE.md b/REFERENCE.md
index 940ea5dd..40efa683 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -505,7 +505,7 @@ Default value: `'0600'`
 
 ##### <a name="-accounts--user--sshkeys"></a>`sshkeys`
 
-Data type: `Array[String]`
+Data type: `Array[String[1]]`
 
 An array of SSH public keys associated with the user. These should be
 complete public key strings that include the type, content and name of the
@@ -559,7 +559,7 @@ The returned options element can by an empty string.
 accounts_ssh_authorized_keys_line_parser_string('options ssh-rsa AAAA... comment)
 ```
 
-#### `accounts_ssh_authorized_keys_line_parser(String $str)`
+#### `accounts_ssh_authorized_keys_line_parser(String[1] $str)`
 
 Parse an ssh authorized_keys line string into an array using its expected
 pattern by using a combination of regex matching and extracting the substring
@@ -580,7 +580,7 @@ accounts_ssh_authorized_keys_line_parser_string('options ssh-rsa AAAA... comment
 
 ##### `str`
 
-Data type: `String`
+Data type: `String[1]`
 
 ssh authorized_keys line string
 
diff --git a/lib/puppet/functions/accounts_ssh_authorized_keys_line_parser.rb b/lib/puppet/functions/accounts_ssh_authorized_keys_line_parser.rb
index 77ca368a..c3940dec 100644
--- a/lib/puppet/functions/accounts_ssh_authorized_keys_line_parser.rb
+++ b/lib/puppet/functions/accounts_ssh_authorized_keys_line_parser.rb
@@ -12,7 +12,7 @@
   # @example Calling the function
   #   accounts_ssh_authorized_keys_line_parser_string('options ssh-rsa AAAA... comment)
   dispatch :accounts_ssh_authorized_keys_line_parser_string do
-    param 'String', :str
+    param 'String[1]', :str
   end
 
   def accounts_ssh_authorized_keys_line_parser_string(str)
diff --git a/manifests/key_management.pp b/manifests/key_management.pp
index 01a06392..7f3bff4e 100644
--- a/manifests/key_management.pp
+++ b/manifests/key_management.pp
@@ -42,7 +42,7 @@
   Accounts::User::Name           $sshkey_group       = $group,
   Accounts::User::Name           $sshkey_owner       = $user,
   Variant[Integer[0],String]     $sshkey_mode        = '0600',
-  Array[String]                  $sshkeys            = [],
+  Array[String[1]]               $sshkeys            = [],
   Optional[Stdlib::Unixpath]     $user_home          = undef,
 ) {
   if $user_home {
@@ -98,7 +98,7 @@
   }
 
   if $sshkeys != [] {
-    $sshkeys.each |$sshkey| {
+    $sshkeys.each |String[1] $sshkey| {
       accounts::manage_keys { "${sshkey} for ${user}":
         ensure    => $ensure,
         keyspec   => $sshkey,
diff --git a/manifests/manage_keys.pp b/manifests/manage_keys.pp
index 13907c02..fe0eef1d 100644
--- a/manifests/manage_keys.pp
+++ b/manifests/manage_keys.pp
@@ -20,7 +20,7 @@
 #
 define accounts::manage_keys (
   Stdlib::Unixpath         $key_file,
-  String                   $keyspec,
+  String[1]                $keyspec,
   Accounts::User::Name     $user,
   Enum['absent','present'] $ensure    = 'present',
   Accounts::User::Name     $key_owner = $user,
diff --git a/manifests/user.pp b/manifests/user.pp
index dec6cf83..d90dfceb 100644
--- a/manifests/user.pp
+++ b/manifests/user.pp
@@ -213,7 +213,7 @@
   Optional[Accounts::User::Name]           $sshkey_group             = $group,
   Optional[Accounts::User::Name]           $sshkey_owner             = $name,
   Variant[Integer[0],String]               $sshkey_mode              = '0600',
-  Array[String]                            $sshkeys                  = [],
+  Array[String[1]]                         $sshkeys                  = [],
   Boolean                                  $system                   = false,
   Optional[Accounts::User::Uid]            $uid                      = undef,
 ) {
diff --git a/spec/functions/accounts_ssh_authorized_keys_line_parser_spec.rb b/spec/functions/accounts_ssh_authorized_keys_line_parser_spec.rb
index 3437dc4b..46c8773e 100644
--- a/spec/functions/accounts_ssh_authorized_keys_line_parser_spec.rb
+++ b/spec/functions/accounts_ssh_authorized_keys_line_parser_spec.rb
@@ -8,7 +8,7 @@
   }
 
   it {
-    expect(subject).to run.with_params('').and_raise_error(ArgumentError, %r{Wrong Keyline format!})
+    expect(subject).to run.with_params('').and_raise_error(ArgumentError, %r{'accounts_ssh_authorized_keys_line_parser' parameter 'str' expects a String\[1\] value, got String})
   }
 
   it {