Fixes #38499 - Introduce SSH cert support

Author: adamlazik1

app/services/foreman/renderer/configuration.rb

@@ -64,7 +64,8 @@ class Configuration
         :falsy?,
         :previous_revision,
         :foreman_short_version,
-        :product_short_version
+        :product_short_version,
+        :service_restart
       ]
 
       DEFAULT_ALLOWED_HOST_HELPERS = [

app/services/foreman/renderer/scope/macros/helpers.rb

@@ -181,6 +181,21 @@ def generate_web_request(utility:, url:, ssl_ca_cert: nil, headers: nil, params:
             utility[:format_params].call(params).each { |param| command << param } if params
             command.join(" \\\n  ")
           end
+
+          apipie :method, 'Generates shell command to restart the given service' do
+            required :service, String, desc: 'Name of the service to restart'
+            returns String, desc: 'Shell command to restart the given service'
+            example 'service_restart("sshd") #=> "if command -v systemctl >/dev/null 2>&1; then\n  systemctl restart sshd\nelse\n  service sshd restart\nfi"'
+          end
+          def service_restart(service)
+            <<-EOS.strip
+              if command -v systemctl >/dev/null 2>&1; then
+                systemctl restart #{service}
+              else
+                service #{service} restart
+              fi
+            EOS
+          end
         end
       end
     end

app/views/unattended/provisioning_templates/snippet/remote_execution_ssh_keys.erb

@@ -10,6 +10,9 @@ description: |
 
   remote_execution_ssh_keys: public keys to be put in ~/.ssh/authorized_keys
 
+  remote_execution_ssh_ca_keys: public ssh CA keys to be put in
+                                /etc/ssh/sshd_config.d/60-user-ca.conf
+
   remote_execution_ssh_user: user for which remote_execution_ssh_keys will be
                              authorized
 
@@ -33,7 +36,7 @@ if [ -z "$PKG_MANAGER" ]; then
 <%= indent(2) { snippet 'pkg_manager' } -%>
 fi
 
-<% if !host_param('remote_execution_ssh_keys').blank? %>
+<% if !host_param('remote_execution_ssh_keys').blank? || !host_param('remote_execution_ssh_ca_keys').blank? %>
 <% ssh_user = host_param('remote_execution_ssh_user') || 'root' %>
 
 user_exists=false
@@ -64,6 +67,23 @@ EOF
   # Restore SELinux context with restorecon, if it's available:
   command -v restorecon && restorecon -RvF <%= ssh_path %> || true
 
+<% if host_param('remote_execution_ssh_ca_keys').present? -%>
+  mkdir -p /etc/ssh/sshd_config.d
+
+  cat << EOF >> /etc/ssh/user-ca.pub
+<%= host_param('remote_execution_ssh_ca_keys').is_a?(String) ? host_param('remote_execution_ssh_ca_keys') : host_param('remote_execution_ssh_ca_keys').join("\n") %>
+EOF
+
+  chmod 0644 /etc/ssh/user-ca.pub
+
+  echo 'TrustedUserCAKeys /etc/ssh/user-ca.pub' >/etc/ssh/sshd_config.d/60-user-ca.conf
+  command -v restorecon && restorecon -RvF /etc/ssh || true
+
+  # restart sshd
+  $(command -v cloud-init && cloud-init status --wait) >/dev/null 2>&1 || true
+  <%= service_restart(@host.operatingsystem.family == 'Debian' ? 'ssh' : 'sshd') %>
+<% end -%>
+
 <% if ssh_user != 'root' && host_param('remote_execution_effective_user_method') == 'sudo' -%>
 if [ ! -x "$(command -v sudo)" ]; then
   $PKG_MANAGER_INSTALL sudo