4 files changed, 177 insertions, 0 deletions

diff --git a/lib/puppet/parser/functions/trocla.rb b/lib/puppet/parser/functions/trocla.rb
new file mode 100644
index 0000000..b1a7b61
--- /dev/null
+++ b/lib/puppet/parser/functions/trocla.rb
@@ -0,0 +1,33 @@
+module Puppet::Parser::Functions
+  newfunction(:trocla, :type => :rvalue, :doc => "
+This will create or get a random password from the trocla storage.
+
+Usage:
+
+    $password_user1 = trocla(key,[format='plain'[,options={}]])
+
+Means:
+
+    $password_user1 = trocla('user1')
+
+Create or get the plain text password for the key 'user1'
+
+    $password_user2 = trocla('user2','mysql')
+
+Create or get the mysql style sha1 hashed password.
+
+    $options_user3 = { 'username' => 'user3' } # Due to a puppet bug
+                                               # this needs to be assigned
+                                               # like that.
+    $password_user3 = trocla('user3','pgsql', $options_user3)
+
+Options can also be passed as a yaml string:
+
+    $password_user3 = trocla('user3','pgsql', \"username: 'user3'\")
+  "
+  ) do |*args|
+    require File.dirname(__FILE__) + '/../../util/trocla_helper'
+
+    Puppet::Util::TroclaHelper.trocla(:password,true,*args)
+  end
+end
diff --git a/lib/puppet/parser/functions/trocla_get.rb b/lib/puppet/parser/functions/trocla_get.rb
new file mode 100644
index 0000000..fb5cd5a
--- /dev/null
+++ b/lib/puppet/parser/functions/trocla_get.rb
@@ -0,0 +1,38 @@
+module Puppet::Parser::Functions
+  newfunction(:trocla_get, :type => :rvalue, :doc => "
+  This will only get an already stored password from the trocla storage.
+
+Usage:
+
+    $password_user1 = trocla_get(key,[format='plain'[,raise_error=true]])
+
+Means:
+
+    $password_user1 = trocla('user1')
+
+Get the plain text password for the key 'user1'
+
+    $password_user2 = trocla_get('user2','mysql')
+
+Get the mysql style sha1 hashed password.
+
+By default puppet will raise a parse error if the password haven't yet been
+stored in trocla. This can be turned off by setting false as a third argument:
+
+    $password_user3 = trocla_get('user2','mysql',false)
+
+the return value will be undef if the key & format pair is not found.
+"
+  ) do |*args|
+    if args[0].is_a?(Array)
+        args = args[0]
+    end
+    require File.dirname(__FILE__) + '/../../util/trocla_helper'
+    args[1] ||= 'plain'
+    raise_error = args[2].nil? ? true : args[2]
+    if (answer=Puppet::Util::TroclaHelper.trocla(:get_password,false,[args[0],args[1]])).nil? && raise_error
+      raise(Puppet::ParseError, "No password for key,format #{args[0..1].flatten.inspect} found!")
+    end
+    answer.nil? ? :undef : answer
+  end
+end
diff --git a/lib/puppet/parser/functions/trocla_set.rb b/lib/puppet/parser/functions/trocla_set.rb
new file mode 100644
index 0000000..06da5ae
--- /dev/null
+++ b/lib/puppet/parser/functions/trocla_set.rb
@@ -0,0 +1,63 @@
+module Puppet::Parser::Functions
+  newfunction(:trocla_set, :type => :rvalue, :doc => "
+  This will set a password/hash in the local storage and return itself,
+  or hashed in another format, if the password is present in plaintext or
+  in that specific hash format.
+
+  This function is mainly useful to migrate from hashes in manifests to trocla only manifests.
+
+Usage:
+
+    $password_user1 = trocla_set(key,value,[format='plain',[return_format,[options={}]]])
+
+Means:
+
+    $password_user1 = trocla_set('user1','mysecret')
+
+Will set and return 'mysecret' as plain password.
+
+    $password_user2 = trocla_set('user2','*AAA...','mysql')
+
+Will set and return the sha1 hashed mysql password for the key user2.
+
+    $password_user3 = trocla_set('user3','mysecret','plain','sha512crypt')
+
+Will set 'mysecret' as plain password, but return a newly created sha512crypt hash.
+
+    $postgres_user4 = { username => 'user4' }
+    $password_user4 = trocla_set('user4','mysecret','plain','pgsql',$postgres_user4)
+
+Will set the plain password 'mysecret' and return a pgsql md5 hash for user5.
+
+    $password_user2 = trocla_set('user2','*AAA...','mysql','sha512crypt')
+
+This will likely fail, except if you add the plain password or the sha512crypt hash manually to
+trocla, for example via cli.
+"
+) do |*args|
+    if args[0].is_a?(Array)
+      args = args[0]
+    end
+
+    key = args[0] 
+    value = args[1]
+    raise(Puppet::ParseError, "You need to pass at least key & value as an argument!") if key.nil? || value.nil?
+
+    format = args[2] || 'plain'
+    return_format = args[3] || format
+    options = args[4] || {}
+
+    configfile = File.join(File.dirname(Puppet.settings[:config]), "troclarc.yaml")
+
+    raise(Puppet::ParseError, "Trocla config file #{configfile} not readable") unless File.exist?(configfile)
+
+    require 'trocla'
+
+    result = (trocla=Trocla.new(configfile)).set_password(key,format,value)
+    if format != return_format && (result = trocla.get_password(key,return_format)).nil?
+      raise(Puppet::ParseError, "Plaintext password is not present, but required to return password in format #{return_format}") if (return_format == 'plain') || trocla.get_password(key,'plain').nil?
+      result = trocla.password(key,return_format,options) 
+    end
+    result
+  end
+end
diff --git a/lib/puppet/util/trocla_helper.rb b/lib/puppet/util/trocla_helper.rb
new file mode 100644
index 0000000..ce583f5
--- /dev/null
+++ b/lib/puppet/util/trocla_helper.rb
@@ -0,0 +1,43 @@
+module Puppet::Util::TroclaHelper
+  def trocla(trocla_func,has_options,*args)
+        # Functions called from puppet manifests that look like this:
+        #   lookup("foo", "bar")
+        # internally in puppet are invoked:  func(["foo", "bar"])
+        #
+        # where as calling from templates should work like this:
+        #   scope.function_lookup("foo", "bar")
+        #
+        #  Therefore, declare this function with args '*args' to accept any number
+        #  of arguments and deal with puppet's special calling mechanism now:
+        if args[0].is_a?(Array)
+            args = args[0]
+        end
+
+        key = args[0] || raise(Puppet::ParseError, "You need to pass at least a key as an argument!")
+        format = args[1] || 'plain'
+        options = args[2] || {}
+
+        if options.is_a?(String)
+          require 'yaml'
+          options = YAML.load(options)
+        end
+
+        has_options ? store.send(trocla_func, key, format, options) : store.send(trocla_func, key, format)
+  end
+  module_function :trocla
+
+  private
+
+  def store
+    @store ||= begin
+      require 'trocla'
+      configfile = File.join(File.dirname(Puppet.settings[:config]), "troclarc.yaml")
+
+      raise(Puppet::ParseError, "Trocla config file #{configfile} is not readable") unless File.exist?(configfile)
+
+      Trocla.new(configfile)
+    end
+  end
+  module_function :store
+
+end