# Assume that we have collected all users' public keys into a single source area
# on the server. First copy the ones we need to localhost, and then edit them into
# the user's local keyring.

# vars:
#
#  "users" slist => { "user1", "user2", ...};
#
# methods:
#
#  "any" usebundle => allow_ssh_login_from_authorized_keys(@(users),"sourcehost");
#
########################################################################

bundle agent allow_ssh_rootlogin_from_authorized_keys(user,sourcehost)
{
  vars:
      "local_cache"       string => "/var/cfengine/ssh_cache";
      "authorized_source" string => "/master/CFEngine/ssh_keys";

  files:
      "$(local_cache)/$(user).pub"
      comment => "Copy public keys from a an authorized cache into a cache on localhost",
      perms => mo("600","root"),
      copy_from => remote_cp("$(authorized_source)/$(user).pub","$(sourcehost)"),
      action => if_elapsed("60");

      "/root/.ssh/authorized_keys"
      comment => "Edit the authorized keys into the user's personal keyring",
      edit_line => insert_file_if_no_line_matching("$(user)","$(local_cache)/$(user).pub"),
      action => if_elapsed("60");
}
########################################################################

bundle agent allow_ssh_login_from_authorized_keys(user,sourcehost)
{
  vars:
      "local_cache"       string => "/var/cfengine/ssh_cache";
      "authorized_source" string => "/master/CFEngine/ssh_keys";

  files:
      "$(local_cache)/$(user).pub"
      comment => "Copy public keys from a an authorized cache into a cache on localhost",
      perms => mo("600","root"),
      copy_from => remote_cp("$(authorized_source)/$(user).pub","$(sourcehost)"),
      action => if_elapsed("60");

      "/home/$(user)/.ssh/authorized_keys"
      comment => "Edit the authorized keys into the user's personal keyring",
      edit_line => insert_file_if_no_line_matching("$(user)","$(local_cache)/$(user).pub"),
      action => if_elapsed("60");
}
########################################################################

bundle edit_line insert_file_if_no_line_matching(user,file)
{
  classes:
      "have_user" expression => regline("$(user).*","$(this.promiser)");
  insert_lines:
    !have_user::
      "$(file)"
      insert_type => "file";
}