How can I have puppet use a local (on the master) password hash for users?

Question

We define users as such:

user { 'belmin':
    ensure          => present,
    uid             => 308,
    comment         => 'Belmin Fernandez',
    managehome      => true,
    password        => '$6$NrtZpXEauUqjdRh0$vE9oJwbNTSWVCGrlDe4KHXFB0KXY7hszSas3v0DZvhUej4SIb/WLfaCy.lmSU7Hh8AAvAbPuDRai2p1X9mDcM0',
}

I want to define a type that will look in the /etc/shadow local to the puppet master and, if the user is there, use that password hash instead. Something like:

define our_user ($user = $title, $uid, $fullname, $default_hash) {

    $shadow_hash = get_hash_from_local_shadown_somehow

    if $shadow_hash == '' {
        $shadow_hash = $default_hash
    }

    user { $user:
        ensure          => present,
        uid             => $uid,
        comment         => $fullname,
        managehome      => true,
        password        => $shadow_hash,
    }
}

What would get_hash_from_local_shadown_somehow be in this case? I see the file function in puppet but unsure how to utilize that to address this since I'll need some more text processing.

Note: I know that centralized authentication would be the wisest avenue but that isn't an immediate option at the moment.

Answer 1

Found a way to do this via Puppet's forum using the generate function:

You can use the generate() function to that.

You'd basically create a script that does whatever processing you need, then $shadow_hash = generate('/path/to/script').

I wrote a simple bash script to retrieve the hash:

#!/bin/bash

SHADOW_FILE='/etc/shadow'

awk -F: "\$1 == \"$@\"" ${SHADOW_FILE} | awk -F: '{print $2}' || echo ''

And the generate function looks like so:

$shadow_hash = generate('/bin/bash','/usr/local/sbin/extract_shadow_hash', $user)

Hope this helps someone else. Seems like a function that could be useful in a bunch of use cases.