Cfengine 3 example unit_root_passwd.html
#  Copyright (C) Cfengine AS

#  This file is part of Cfengine 3 - written and maintained by Cfengine AS.

#  This program is free software; you can redistribute it and/or modify it
#  under the terms of the GNU General Public License as published by the
#  Free Software Foundation; version 3.

#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.

# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA

# To the extent this program is licensed as part of the Enterprise
# versions of Cfengine, the applicable Commerical Open Source License
# (COSL) may apply to this file if you as a licensee so wish it. See
# included file COSL.txt.

######################################################################
#
# Root password distribution
# 
######################################################################

body common control

{
version => "1.2.3";
bundlesequence  => { "SetRootPassword" };
}

########################################################

bundle common g
{
vars:

  "secret_keys_dir" string => "/tmp";

}

########################################################

bundle agent SetRootPassword

{
files:

  "/var/cfengine/ppkeys/rootpw.txt"

      copy_from => scp("$(fqhost)-root.txt","master_host.example.org");

      # or $(pw_class)-root.txt

  # Test this on a copy

  "/tmp/shadow"

       edit_line => SetPasswd("root");

}

########################################################

bundle edit_line SetPasswd(user)
  {
  vars:

   # Assume this file contains a single string of the form :passwdhash:
   # with : delimiters to avoid end of line/file problems

   "gotpw" int => readstringarray("pw","$(sys.workdir)/ppkeys/root-pw.txt","#[^\n]*",":","3","200");

  field_edits:

   "$(user).*"

      # Set field of the file to parameter
      # File has format root:HASH: or user:HASH:

      edit_field => col(":","2","$(pw[root][1])","set");
  }

########################################################

bundle server passwords
{
vars:

  # Read a file of format
  #
  # classname: host1,host2,host4,IP-address,regex.*,etc
  #

       "pw_classes" int => readstringarray("acl","$(g.secret_keys_dir)/classes.txt","#[^\n]*",":","100","4000");  
  "each_pw_class" slist => getindices("acl");
 
access:

  "/secret/keys/$(each_pw_class)-root.txt"

        admit   => splitstring("$(acl[$(each_pw_class)][1])" , ":" , "100"),
    ifencrypted => "true";

}

########################################
# Bodies
########################################

body edit_field col(split,col,newval,method)

{
field_separator => "$(split)";
select_field    => "$(col)";
value_separator  => ",";
field_value     => "$(newval)";
field_operation => "$(method)";
extend_fields => "true";
allow_blank_fields => "true";
}

########################################

body copy_from scp(from,server)

{
source      => "$(from)";
compare     => "digest";
encrypt     => "true";
verify      => "true";
}
}