Skip to content

Commit

Permalink
Add default_overrides to simplify user_specifications
Browse files Browse the repository at this point in the history 
user_specifications included standart specifications and default
overrides.
This commit takes away default_overrides to a separate variable.

Fix ansible-lint and tests
  • Loading branch information
@spetrosi
spetrosi committed May 20, 2024
1 parent 74f7459 commit 7539fb6
Show file tree
Hide file tree
Showing 11 changed files with 234 additions and 208 deletions.
77 changes: 45 additions & 32 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,69 +118,85 @@ Type: `list`

#### user_specifications

You can use this `list` variable to apply [Standard user_specifications](#standard-user_specifications) and [Default Override user_specifications](#default-override-user_specifications) to a sudoers file configuration.

##### Standard user_specifications
You can use this `list` variable to apply user specifications to a sudoers file configuration.

Supported entries:

`users` List of users to apply the specification to.
1. `users` - List of users to apply the specification to.
You can use a `user_alias` name as well as user names.

`hosts` List of hosts to apply the specification to.
2. `hosts` - List of hosts to apply the specification to.
You can use a defined `host_alias` name as well as host names.

`operators` List of operators to apply the specification to.
3. `operators` - List of operators to apply the specification to.
You can use a defined `runas_alias` name as well as user names.

`selinux_role` Optional selinux role to apply to the specification.
4. `selinux_role` - Optional selinux role to apply to the specification.

`selinux_type` Optional selinux type to apply to the specification.
5. `selinux_type` - Optional selinux type to apply to the specification.

`solaris_privs` Optional Solaris privset to apply to the specification.
6. `solaris_privs` - Optional Solaris privset to apply to the specification.

`solaris_limitprivs` Optional Solaris privset to apply to the specification.
7. `solaris_limitprivs` - Optional Solaris privset to apply to the specification.

`tags` Optional list of tags to apply to the specification.
8. `tags` - Optional list of tags to apply to the specification.

`commands` List of commands to apply the specification to.
9. `commands` - List of commands to apply the specification to.
You can use a defined `cmnd_alias` name as well as commands.

#### Default Override user_specifications
Example definition:

```yaml
sudo_sudoers_files:
- path: /etc/sudoers.d/pingers
user_specifications:
- users:
- root
hosts:
- ALL
operators:
- ALL
commands:
- ALL
- users:
- "%wheel"
hosts:
- ALL
operators:
- ALL
commands:
- ALL
```

#### default_overrides

You can use this `list` variable to apply Default Override user_specifications to a sudoers file configuration.

Supported entries:

`defaults` List of defaults to override from the main configuration.
1. `defaults` - List of defaults to override from the main configuration.

`type` Type of default to override, this affects the operator in the configuration ( host -> `@`, user -> `:`, command -> `!`, and runas -> `>`).
2. `type` - Type of default to override, this affects the operator in the configuration ( host -> `@`, user -> `:`, command -> `!`, and runas -> `>`).
The type field can be one of the following values: `command`, `host`, `runas`, or `user`.

`commands` Use when `type: command`.
3. `commands` - Use when `type: command`.
List of `cmnd_alias` names as well as commands to override specific default values.

`hosts` Use when `type: host`.
4. `hosts` - Use when `type: host`.
List of `host_alias` names as well as individual host names to override specific default values.

`operators` Use when `type: runas`.
5. `operators` - Use when `type: runas`.
List of `runas_alias` names as well as individual user names to override specific default values.

`users` Use when `type: user`.
6. `users` - Use when `type: user`.
List of `user_alias` names as well as individual user names to override specific default values.

Example Definition:

```yaml
sudo_sudoers_files:
- path: /etc/sudoers.d/pingers
user_specifications:
- users:
- root
hosts:
- ALL
operators:
- ALL
commands:
- ALL
default_overrides:
- type: user
defaults:
- "!requiretty"
Expand Down Expand Up @@ -416,7 +432,4 @@ Example Definition:

MIT

## Author Information

Radovan Sroka @rsroka
Based on[Ansible-sudoers: "https://github.com/ahuffman/ansible-sudoers"]
Based on [Ansible-sudoers: "https://github.com/ahuffman/ansible-sudoers"]
184 changes: 89 additions & 95 deletions templates/sudoers.j2
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
{%- macro render_aliases(alias_desc,alias_str,alias_dict,alias_subdict_name) %}
{% if item.aliases[alias_dict] is defined %}

## {{ alias_desc }}
{% for alias_item in item.aliases[alias_dict] %}
{% set _alias = [] %}
Expand All @@ -19,14 +20,15 @@
{% endfor %}
{% for spec_default in spec.defaults %}
{% set _ = _spec_default.append(spec_default) %}
{% endfor -%}
{% endfor %}
Defaults{{ sign }} {{ _spec_original | join(", ")}} {{ _spec_default |
join(", ")}}
{% endif %}
{% endmacro %}
{% endmacro -%}
{{ ansible_managed | default('Ansible managed') | comment }}
{{ "system_role:sudo" | comment(prefix="", postfix="") }}
{% if item.defaults is defined %}
{%- if item.defaults is defined %}

# Default specifications
{% for default in item.defaults %}
{% if default is mapping %}
Expand Down Expand Up @@ -55,113 +57,105 @@ Defaults{{ default }}
Defaults {{ default }}
{% endif %}
{% endfor %}
{% endif %}
{% if item.aliases is defined %}
{% endif -%}
{%- if item.aliases is defined %}

# Alias specifications
{{ render_aliases("Command Aliases", "Cmnd_Alias", "cmnd_alias", "commands") -}}
{{ render_aliases("Host Aliases", "Host_Alias", "host_alias", "hosts") -}}
{{ render_aliases("Runas Aliases", "Runas_Alias", "runas_alias", "users") -}}
{{ render_aliases("User Aliases", "User_Alias", "user_alias", "users") -}}
{% endif %}
{% if item.user_specifications is defined %}
{% if item.user_specifications | selectattr('type', 'undefined') | flatten |
length > 0 %}
{% endif -%}
{%- if item.user_specifications is defined %}

# User specifications
{% for spec in item.user_specifications %}
{% if spec.type is undefined %}
{% set user_spec = [] %}
{% set spec_users = [] %}
{% set spec_hosts = [] %}
{% set spec_ops = [] %}
{% set spec_types = [] %}
{% set spec_roles = [] %}
{% set spec_privs = [] %}
{% set spec_lprivs = [] %}
{% set spec_tags = [] %}
{% set spec_cmnds = [] %}
{% for user in spec.users %}
{% set _ = spec_users.append(user) %}
{% endfor %}
{% set _ = user_spec.append(spec_users | join(", ")) %}
{% set _ = user_spec.append(" ") %}
{% for host in spec.hosts %}
{% set _ = spec_hosts.append(host) %}
{% endfor %}
{% set _ = user_spec.append(spec_hosts | join(", ")) %}
{% set _ = user_spec.append("=") %}
{% if spec.operators is defined %}
{% set _ = user_spec.append("(") %}
{% for op in spec.operators %}
{% set _ = spec_ops.append(op) %}
{% endfor %}
{% set _ = user_spec.append(spec_ops | join(", ")) %}
{% set _ = user_spec.append(")") %}
{% endif %}
{% set _ = user_spec.append(" ") %}
{% if spec.selinux_type is defined %}
{% set _ = user_spec.append("TYPE=") %}
{% for type in spec.selinux_type %}
{% set _ = spec_types.append(type) %}
{% endfor %}
{% set _ = user_spec.append(spec_types | join(", ")) %}
{% set _ = user_spec.append(" ") %}
{% endif %}
{% if spec.selinux_role is defined %}
{% set _ = user_spec.append("ROLE=") %}
{% for role in spec.selinux_role %}
{% set _ = spec_roles.append(role) %}
{% endfor %}
{% set _ = user_spec.append(spec_roles | join(", ")) %}
{% set _ = user_spec.append(" ") %}
{% endif %}
{% if spec.solaris_privs is defined %}
{% set _ = user_spec.append("PRIVS=") %}
{% for priv in spec.solaris_privs %}
{% set _ = spec_privs.append(priv) %}
{% endfor %}
{% set _ = user_spec.append(spec_privs | join(", ")) %}
{% set _ = user_spec.append(" ") %}
{% endif %}
{% if spec.solaris_limitprivs is defined %}
{% set _ = user_spec.append("LIMITPRIVS=") %}
{% for lpriv in spec.solaris_limitprivs %}
{% set _ = spec_lprivs.append(lpriv) %}
{% endfor %}
{% set _ = user_spec.append(spec_lprivs | join(", ")) %}
{% set _ = user_spec.append(" ") %}
{% endif %}
{% if spec.tags is defined %}
{% for tag in spec.tags %}
{% set _ = spec_tags.append(tag) %}
{% endfor %}
{% set _ = user_spec.append(spec_tags | join(":")) %}
{% set _ = user_spec.append(": ") %}
{% endif %}
{% for cmnd in spec.commands %}
{% set _ = spec_cmnds.append(cmnd) %}
{% endfor %}
{% set _ = user_spec.append(spec_cmnds | join(", ")) %}
{{ user_spec | join('') }}
{% endif %}
{% for spec in item.user_specifications %}
{% set user_spec = [] %}
{% set spec_users = [] %}
{% set spec_hosts = [] %}
{% set spec_ops = [] %}
{% set spec_types = [] %}
{% set spec_roles = [] %}
{% set spec_privs = [] %}
{% set spec_lprivs = [] %}
{% set spec_tags = [] %}
{% set spec_cmnds = [] %}
{% for user in spec.users %}
{% set _ = spec_users.append(user) %}
{% endfor %}
{% endif %}
{% endif %}
{% if item.user_specifications | selectattr('defaults', 'defined') |
map(attribute='defaults') | flatten | length > 0 %}
{% set _ = user_spec.append(spec_users | join(", ")) %}
{% set _ = user_spec.append(" ") %}
{% for host in spec.hosts %}
{% set _ = spec_hosts.append(host) %}
{% endfor %}
{% set _ = user_spec.append(spec_hosts | join(", ")) %}
{% set _ = user_spec.append("=") %}
{% if spec.operators is defined %}
{% set _ = user_spec.append("(") %}
{% for op in spec.operators %}
{% set _ = spec_ops.append(op) %}
{% endfor %}
{% set _ = user_spec.append(spec_ops | join(", ")) %}
{% set _ = user_spec.append(")") %}
{% endif %}
{% set _ = user_spec.append(" ") %}
{% if spec.selinux_type is defined %}
{% set _ = user_spec.append("TYPE=") %}
{% for type in spec.selinux_type %}
{% set _ = spec_types.append(type) %}
{% endfor %}
{% set _ = user_spec.append(spec_types | join(", ")) %}
{% set _ = user_spec.append(" ") %}
{% endif %}
{% if spec.selinux_role is defined %}
{% set _ = user_spec.append("ROLE=") %}
{% for role in spec.selinux_role %}
{% set _ = spec_roles.append(role) %}
{% endfor %}
{% set _ = user_spec.append(spec_roles | join(", ")) %}
{% set _ = user_spec.append(" ") %}
{% endif %}
{% if spec.solaris_privs is defined %}
{% set _ = user_spec.append("PRIVS=") %}
{% for priv in spec.solaris_privs %}
{% set _ = spec_privs.append(priv) %}
{% endfor %}
{% set _ = user_spec.append(spec_privs | join(", ")) %}
{% set _ = user_spec.append(" ") %}
{% endif %}
{% if spec.solaris_limitprivs is defined %}
{% set _ = user_spec.append("LIMITPRIVS=") %}
{% for lpriv in spec.solaris_limitprivs %}
{% set _ = spec_lprivs.append(lpriv) %}
{% endfor %}
{% set _ = user_spec.append(spec_lprivs | join(", ")) %}
{% set _ = user_spec.append(" ") %}
{% endif %}
{% if spec.tags is defined %}
{% for tag in spec.tags %}
{% set _ = spec_tags.append(tag) %}
{% endfor %}
{% set _ = user_spec.append(spec_tags | join(":")) %}
{% set _ = user_spec.append(": ") %}
{% endif %}
{% for cmnd in spec.commands %}
{% set _ = spec_cmnds.append(cmnd) %}
{% endfor %}
{% set _ = user_spec.append(spec_cmnds | join(", ")) %}
{{ user_spec | join('') }}
{% endfor %}
{% endif -%}
{%- if item.default_overrides is defined %}

# Default override specifications
{% for spec in item.user_specifications %}
{% if spec.type is defined %}
{% for spec in item.default_overrides %}
{{ render_override_spec(spec,"user","users",":") -}}
{{ render_override_spec(spec,"runas","operators",">") -}}
{{ render_override_spec(spec,"host","hosts","@") -}}
{{ render_override_spec(spec,"command","commands","!") -}}
{% endif %}
{% endfor %}
{% endif %}
{% if item.include_files is defined or item.include_directories is defined %}
{%- endif %}
{%- if item.include_files is defined or item.include_directories is defined %}

# Includes
{% if item.include_files is defined and item.include_files | length > 0 %}
Expand All @@ -177,4 +171,4 @@ Defaults {{ default }}
#includedir {{ dir }}
{% endfor %}
{% endif %}
{% endif %}
{% endif -%}
1 change: 0 additions & 1 deletion tests/files/tests_large_configuration_pingers.ok
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
#
# system_role:sudo


# Default override specifications
Defaults: PINGERS !requiretty
Defaults> root !set_logname
Expand Down
6 changes: 5 additions & 1 deletion tests/files/tests_large_configuration_sudoers.ok
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,16 @@ Defaults env_keep += "LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL"
Defaults env_keep += "LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

# Alias specifications

## Command Aliases
Cmnd_Alias PING = /usr/bin/ping

## Host Aliases
Host_Alias HOST = myhost

## Runas Aliases
Runas_Alias RUNAS = username

## User Aliases
User_Alias PINGERS = username

Expand All @@ -34,7 +38,7 @@ root ALL=(ALL) ALL
# Default override specifications
Defaults: PINGERS !requiretty
Defaults> root !set_logname
Defaults@ host1, host2 !requiretty, !requiretty
Defaults@ host1, host2 !requiretty, !set_logname
Defaults! /usr/bin/cd !requiretty

# Includes
Expand Down
6 changes: 1 addition & 5 deletions tests/files/tests_multiple_sudoers_pingers.ok
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,5 @@
#
# system_role:sudo




# Default override specifications
Defaults: PINGERS !requiretty

Defaults: PINGERS !requiretty
Loading

0 comments on commit 7539fb6

Please sign in to comment.