Distribute root passwords

body common control
{
  version => "1.2.3";
  inputs => { "$(sys.libdir)/stdlib.cf" };
  bundlesequence => { "set_root_password" };
}
bundle common g
{
  vars:
    "secret_keys_dir" string => "/tmp";
}
bundle agent set_root_password
{
  vars:
    # Or get variables directly from server with Enterprise
    "remote-passwd" string => remotescalar("rem_password", "127.0.0.1", "yes");
  # Test this on a copy
  files:
    "/var/cfengine/ppkeys/rootpw.txt"
      copy_from => secure_cp(
        "$(sys.fqhost)-root.txt",
        # or $(pw_class)-root.txt
        "master_host.example.org"
      );

    "/tmp/shadow" edit_line => set_root_password;
}
bundle edit_line set_root_password
{
  vars:
    # Assume this file contains a single string of the form root:passwdhash:
    # with : delimiters to avoid end of line/file problems
    "pw"
      int => readstringarray(
        "rpw", "$(sys.workdir)/ppkeys/rootpw.txt", "#[^\n]*", ":", "1", "200"
      );

  field_edits:
    "root:.*" edit_field => col(":", "2", "$(rpw[root][1])", "set");
}
bundle server passwords
{
  vars:
    # Read a file of format
    #
    # classname: host1,host2,host4,IP-address,regex.*,etc
    "pw_classes"
      int => readstringarray(
        "acl",
        "$(g.secret_keys_dir)/classes.txt",
        "#[^\n]*",
        ":",
        "100",
        "4000"
      );

    "each_pw_class" slist => getindices("acl");

  access:
    "/secret/keys/$(each_pw_class)-root.txt"
      admit => splitstring("$(acl[$(each_pw_class)][1])", ":", "100"),
      ifencrypted => "true";
}

Distribute ssh keys

bundle agent allow_ssh_rootlogin_from_authorized_keys(user, sourcehost)
{
  vars:
    "local_cache" string => "/var/cfengine/ssh_cache";
    "authorized_source" string => "/master/CFEngine/ssh_keys";

  files:
    "$(local_cache)/$(user).pub"
      comment => "Copy public keys from a an authorized cache into a cache on localhost",
      perms => mo("600", "root"),
      copy_from => remote_cp(
        "$(authorized_source)/$(user).pub", "$(sourcehost)"
      ),
      action => if_elapsed("60");

    "/root/.ssh/authorized_keys"
      comment => "Edit the authorized keys into the user's personal keyring",
      edit_line => insert_file_if_no_line_matching(
        "$(user)", "$(local_cache)/$(user).pub"
      ),
      action => if_elapsed("60");
}
bundle agent allow_ssh_login_from_authorized_keys(user, sourcehost)
{
  vars:
    "local_cache" string => "/var/cfengine/ssh_cache";
    "authorized_source" string => "/master/CFEngine/ssh_keys";

  files:
    "$(local_cache)/$(user).pub"
      comment => "Copy public keys from a an authorized cache into a cache on localhost",
      perms => mo("600", "root"),
      copy_from => remote_cp(
        "$(authorized_source)/$(user).pub", "$(sourcehost)"
      ),
      action => if_elapsed("60");

    "/home/$(user)/.ssh/authorized_keys"
      comment => "Edit the authorized keys into the user's personal keyring",
      edit_line => insert_file_if_no_line_matching(
        "$(user)", "$(local_cache)/$(user).pub"
      ),
      action => if_elapsed("60");
}
bundle edit_line insert_file_if_no_line_matching(user, file)
{
  classes:
    "have_user" expression => regline("$(user).*", "$(this.promiser)");

  insert_lines:
    !have_user::
      "$(file)" insert_type => "file";
}