On 02/10/2012 02:12 PM, John Mitchell wrote:
> This was my original idea, however I tried to start simpler, I tried to 
> get a handle on editfiles only to realise after writing it... that I 
> was using cfengine 2 syntax, which was vastly different.
> 
> I was originally looking for "# Apache" and if not finding it then 
> inserting it,
> 
> # Apache
> various lines here
> # End apache
> 
> and then removing it 
> 
> but I couldn't work out how to do this in cfengine 3. 


Yeah I'm not sure exactly how to do it but you would be wanting to use
the location in insert lines for sure
(http://cfengine.com/manuals/cf3-reference.html#location-in-insert_005flines),
to place your insert before your deny rule. Attached is an example that
uses the select region, I hope its close enough to get you started.



-- 
Nick Anderson <n...@cmdln.org>
body common control {

bundlesequence => {
"main",
};

inputs => {
"cfengine_stdlib.cf",
};
}

bundle agent main {

methods:

"any" usebundle => test;

}

bundle agent test {
    vars:
        "restricted_user_ssh[ChrootDirectory]" string => "/sftp-jail/%u";
        "restricted_user_ssh[ForceCommand]" string => "sftp";

        "sftponly_group_ssh[ChrootDirectory]" string => "/sftp-jail/%u";
        "sftponly_group_ssh[ForceCommand]" string => "internal-sftp";

    files:
        "/tmp/sshd_config"
            create      => "true",
            edit_line   => set_config_values_sshd_match_user("restricteduser", 
"test.restricted_user_ssh");

        "/tmp/sshd_config"
            create      => "true",
            edit_line   => set_config_values_sshd_match_group("sftponly", 
"test.sftponly_group_ssh");

}

bundle edit_line set_config_values_sshd_match_user(user, settings) {
# This bundle only manages settings that it is given, it does not remove
# extraneous settings in the section
    vars:
        "settings_index" slist => getindices("$(settings)");
        "line"           string => "Match User $(user)";
        "cline"          string => canonify("$(line)");

    replace_patterns:
        "^(?!$(line))Match\s*User\s*$(user)$"
            replace_with => value("Match User $(user)"),
            comment => "Make sure there is consistency in form",
            classes => always("replace_done_$(cline)");

    insert_lines:
        "$(line)"
            ifvarclass => "replace_done_$(cline)";

    delete_lines:
        "\s*$(settings_index).*"
            select_region => sshd_config_match_user("$(user)");

    insert_lines:
        "    $(settings_index) $($(this.settings)[$(this.settings_index)])",
            select_region => sshd_config_match_user("$(user)");

}

bundle edit_line set_config_values_sshd_match_group(group, settings) {
# This bundle only manages settings that it is given, it does not remove
# extraneous settings in the section
    vars:
        "settings_index" slist => getindices("$(settings)");
        "line"           string => "Match Group $(group)";
        "cline"          string => canonify("$(line)");

    replace_patterns:
        "^(?!$(line))Match\s*Group\s*$(group)$"
            replace_with => value("Match Group $(group)"),
            comment => "Make sure there is consistency in form",
            classes => always("replace_done_$(cline)");

    insert_lines:
        "$(line)"
            ifvarclass => "replace_done_$(cline)";

    delete_lines:
        "\s*$(settings_index).*"
            select_region => sshd_config_match_group("$(group)");

    insert_lines:
        "    $(settings_index) $($(this.settings)[$(this.settings_index)])",
            select_region => sshd_config_match_group("$(group)");

}

body select_region sshd_config_match_user (x) {
    select_start => "^Match\s*User\s*$(x)";
    select_end   => "^Match\s.*";
    include_start_delimiter => "true";
    include_end_delimiter => "false";
}

body select_region sshd_config_match_group (x) {
    select_start => "^Match\s*Group\s*$(x)";
    select_end   => "^Match\s.*";
    include_start_delimiter => "true";
    include_end_delimiter => "false";
}

_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine

Reply via email to