]> git.madduck.net Git - puppet/sudo.git/commitdiff

madduck's git repository

Every one of the projects in this repository is available at the canonical URL git://git.madduck.net/madduck/pub/<projectpath> — see each project's metadata for the exact URL.

All patches and comments are welcome. Please squash your changes to logical commits before using git-format-patch and git-send-email to patches@git.madduck.net. If you'd read over the Git project's submission guidelines and adhered to them, I'd be especially grateful.

SSH access, as well as push access can be individually arranged.

If you use my repositories frequently, consider adding the following snippet to ~/.gitconfig and using the third clone URL listed for each project:

[url "git://git.madduck.net/madduck/"]
  insteadOf = madduck:

projects / puppet / sudo.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (initial)
initial checkin
authormartin f. krafft <madduck@madduck.net>
Tue, 24 Mar 2020 00:20:02 +0000 (01:20 +0100)
committermartin f. krafft <madduck@madduck.net>
Tue, 24 Mar 2020 00:20:02 +0000 (01:20 +0100)
data/defaults.yaml [new file with mode: 0644] patch | blob
data/osfamily/Debian.yaml [new file with mode: 0644] patch | blob
hiera.yaml [new file with mode: 0644] patch | blob
manifests/init.pp [new file with mode: 0644] patch | blob
templates/alias_line.erb [new file with mode: 0644] patch | blob
templates/option_line.erb [new file with mode: 0644] patch | blob
templates/rule_line.erb [new file with mode: 0644] patch | blob
templates/sudoers.erb [new file with mode: 0644] patch | blob

diff --git a/data/defaults.yaml b/data/defaults.yaml
new file mode 100644 (file)
index 0000000..0294874
--- /dev/null
+++ b/data/defaults.yaml
@@ -0,0 +1,3 @@
+lookup_options:
+  "^sudo::defaults::(generic|user|host|runas|cmnd)":
+    merge: hash
diff --git a/data/osfamily/Debian.yaml b/data/osfamily/Debian.yaml
new file mode 100644 (file)
index 0000000..0081eb0
--- /dev/null
+++ b/data/osfamily/Debian.yaml
@@ -0,0 +1,6 @@
+sudo::defaults::sudogroup: sudo
+
+sudo::defaults::generic:
+  env_reset: true
+  mail_badpass: true
+  secure_path: "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
diff --git a/hiera.yaml b/hiera.yaml
new file mode 100644 (file)
index 0000000..e6314fd
--- /dev/null
+++ b/hiera.yaml
@@ -0,0 +1,8 @@
+version: 5
+
+hierarchy:
+  - name: "OS-specific defaults"
+    path: "osfamily/%{::osfamily}.yaml"
+
+  - name: "Defaults"
+    path: "defaults.yaml"
diff --git a/manifests/init.pp b/manifests/init.pp
new file mode 100644 (file)
index 0000000..5e807d6
--- /dev/null
+++ b/manifests/init.pp
@@ -0,0 +1,252 @@
+class sudo (
+    Optional[String[1]] $sudogroup = undef,
+) {
+    $include_directory = '/etc/sudoers.d'
+    $file_defaults = {
+        owner        => "root",
+        group        => "root",
+        mode         => "0440",
+        validate_cmd => "sh -c 'if ! visudo --check --file=%; then cat %; exit 1; fi'",
+    }
+    $default_target = '00-defaults'
+
+    include sudo::install
+    include sudo::files
+    include sudo::defaults
+
+    define option (
+        Optional[String[1]] $parameter = undef,
+        Variant[String[1],Array[String[1]],Integer,Boolean] $value = true,
+        Enum['generic','host','user','cmnd','runas'] $context = 'generic',
+        Optional[Variant[Array[String[1]],String[1]]] $list = undef,
+        String[1] $target = $sudo::default_target,
+        Integer $order = 10,
+        Optional[String[1]] $comment = undef,
+        Boolean $newline_before = true,
+    ) {
+        $param = $parameter ? { undef => $name, default => $parameter }
+        $_list = type($list) ? { list => $list, default => [$list] }
+        sudo::internals::add_sudoers_fragment { "${name}":
+            target  => $target,
+            content => template("sudo/option_line.erb"),
+            order   => $order,
+            comment => $comment,
+        }
+    }
+
+    define alias (
+        Enum['host','user','cmnd','runas'] $type,
+        Optional[Variant[Array[String[1]],String[1]]] $list = undef,
+        String[1] $target = $sudo::default_target,
+        Integer $order = 10,
+        Optional[String[1]] $comment = undef,
+        Boolean $newline_before = true,
+    ) {
+        if $name !~ /^[[:upper:]][[:upper:]_[:digit:]]*$/ {
+            fail("sudoers alias definition '$name' can only contain uppercase letter, numbers, and the underscore")
+        }
+        $_list = type($list) ? { list => $list, default => [$list] }
+        sudo::internals::add_sudoers_fragment { "${name}":
+            target  => $target,
+            content => template("sudo/alias_line.erb"),
+            order   => $order,
+            comment => $comment,
+        }
+    }
+
+    define rule (
+        Variant[Array[String[1]],String[1]] $who,
+        Variant[Array[String[1]],String[1]] $where = 'ALL',
+        Optional[Variant[Array[String[1]],String[1]]] $as_whom = 'ALL',
+        Optional[Variant[Array[String[1]],String[1]]] $as_group = 'ALL',
+        Variant[Array[String[1]],String[1]] $what,
+        String[1] $target = $sudo::default_target,
+        Integer $order = 10,
+        Optional[String[1]] $comment = undef,
+        Boolean $newline_before = true,
+    )
+    {
+        $_comment = $comment ? { undef => $name, default => $comment }
+        sudo::internals::add_sudoers_fragment { "${name}":
+            target  => $target,
+            content => template("sudo/rule_line.erb"),
+            order   => $order,
+            comment => $comment,
+        }
+    }
+}
+
+class sudo::install {
+
+    package { "sudo":
+        ensure => latest,
+    }
+}
+
+class sudo::files (
+) {
+    $include_directory = $sudo::include_directory
+    file { default:
+             *              => $sudo::file_defaults
+           ;
+           "/etc/sudoers":
+               content      => template("sudo/sudoers.erb"),
+               validate_cmd => "visudo --check --strict --file=%",
+           ;
+           "$include_directory":
+               mode         => "0770",
+               recurse      => true,
+               purge        => true,
+               ignore       => ["*.local","*-local-*","local-*"],
+           ;
+           "$include_directory/README":
+               content      => @(EOT)
+                               # This directory is managed by Puppet
+                               #
+                               # Local files can be named any of:
+                               #   - local-*
+                               #   - *-local-*
+                               #   - *.local
+                               | EOT
+           ;
+    }
+}
+
+class sudo::defaults (
+    Optional[String[1]] $sudogroup = undef,
+    Boolean $root_may_sudo = true,
+    Optional[Hash] $generic = undef,
+    Optional[Hash] $user = undef,
+    Optional[Hash] $host = undef,
+    Optional[Hash] $runas = undef,
+    Optional[Hash] $cmnd = undef,
+) {
+    $netfacts = $facts[networking] ? { undef => $facts, default => $facts[networking] }
+    sudo::alias { "LOCALHOST":
+        type => host,
+        list => [ "localhost"
+                , $netfacts[hostname]
+                , $netfacts[fqdn]
+                ],
+    }
+
+    if $sudogroup {
+        $sudogroup_target = "00-sudogroup"
+
+        group { "$sudogroup":
+            ensure => present,
+            system => true
+        }->
+        sudo::rule { "sudogroup":
+            who     => "%$sudogroup",
+            where   => "LOCALHOST",
+            require => Sudo::Alias["LOCALHOST"],
+            what    => "PASSWD: ALL",
+            target  => "$sudogroup_target",
+            comment => "Members of the ${sudogroup} group can use sudo (with password)",
+        }
+    }
+
+    if $root_may_sudo {
+        $rootsudo_target = "00-root_may_sudo"
+
+        sudo::option { "syslog":
+            value   => false,
+            context => user,
+            list    => "root",
+            target  => "$rootsudo_target",
+            comment => "No need to log root usage of sudo",
+        }->
+        sudo::rule { "root_may_sudo":
+            who     => "root",
+            where   => "LOCALHOST",
+            require => Sudo::Alias["LOCALHOST"],
+            what    => "NOPASSWD: ALL",
+            target  => "$rootsudo_target",
+            comment => "root may inadvertedly run sudo, so let them:",
+        }
+    }
+
+    if $generic {
+        concat::fragment { "sudo::defaults::generic comment":
+            target  => "sudoers_file_$sudo::default_target",
+            order   => 14,
+            content => "\n# Generated from the sudo::defaults::generic class parameter:\n",
+        }
+        $generic.each | $param, $value | {
+            sudo::option { "$param":
+                value    => $value,
+                order    => 15,
+                newline_before => false,
+                require  => Concat::Fragment["sudo::defaults::generic comment"],
+            }
+        }
+        concat::fragment { "sudo::defaults::generic end":
+            target  => "sudoers_file_$sudo::default_target",
+            order   => 16,
+            content => "# End sudo::defaults::generic class parameters\n",
+        }
+    }
+
+    $context_hash = {"user"=>$user,"host"=>$host,"runas"=>$runas,"cmnd"=>$cmnd}
+    $context_hash.keys.each | $index, $context | {
+        $defaults = $context_hash[$context]
+        if $defaults {
+            concat::fragment { "sudo::defaults::${context} comment":
+                target  => "sudoers_$default_target",
+                order   => 17 + $index * 3,
+                content => "\n# Generated from the sudo::defaults::${context} class parameter:\n",
+            }
+            $defaults.each | $list, $items  | {
+                $items.each | $param, $value | {
+                    sudo::option { "${context}_${list}_${param}":
+                        parameter => $param,
+                        context   => $context,
+                        list      => $list,
+                        value     => $value,
+                        order     => 18 + $index * 3,
+                        newline_before => false,
+                    }
+                }
+            }
+            concat::fragment { "sudo::defaults::${context} end":
+                target  => "sudoers_$default_target",
+                order   => 19 + $index * 3,
+                content => "# End sudo::defaults::${context} class parameters\n",
+            }
+        }
+    }
+}
+
+class sudo::internals {
+
+    define add_sudoers_fragment (
+        String[1] $target,
+        String[1] $content,
+        Integer $order,
+        Optional[String[1]] $comment = undef,
+    ) {
+        sudo::internals::ensure_sudoers_file { "${name}":
+            target  => $target
+        }
+        $ts = strftime("%s.%N")
+        # include the timestamp to preserve order in the output if execution
+        # is ordered
+        concat::fragment { "${ts}_sudoers_fragment_${target}_${name}":
+            target  => "sudoers_file_${target}",
+            content => $content,
+            order   => $order,
+        }
+    }
+    define ensure_sudoers_file(
+        String[1] $target,
+    ) {
+        ensure_resource('concat', "sudoers_file_${target}", {
+                tag     => "${target}",
+                path    => "${sudo::include_directory}/$target",
+                warn    => "# THIS FILE IS MANAGED BY PUPPET; CHANGES WILL BE OVERWRITTEN\n",
+                require => File[$sudo::include_directory],
+            } + $sudo::file_defaults,
+        )
+    }
+}
diff --git a/templates/alias_line.erb b/templates/alias_line.erb
new file mode 100644 (file)
index 0000000..38d786c
--- /dev/null
+++ b/templates/alias_line.erb
@@ -0,0 +1,16 @@
+<%- if @newline_before %>
+<% end -%>
+<%- if @comment -%>
+<%= @comment.gsub(/(.{1,78})( +|$\n?)|(.{1,78})/, "# \\1\\3\n") -%>
+<%- end -%>
+<%-
+  def render_list(list)
+    return list.join(", \\\n  ")
+  end
+
+  def alias_type(type)
+    return "#{type.capitalize}_Alias"
+  end
+-%>
+<%= alias_type(@type) %> <%= @name %> = \
+  <%= render_list(@_list) %>
diff --git a/templates/option_line.erb b/templates/option_line.erb
new file mode 100644 (file)
index 0000000..a05ecdd
--- /dev/null
+++ b/templates/option_line.erb
@@ -0,0 +1,26 @@
+<%- if @newline_before %>
+<% end -%>
+<% if @comment -%>
+<%= @comment.gsub(/(.{1,78})( +|$\n?)|(.{1,78})/, "# \\1\\3\n") -%>
+<%- end -%>
+<%-
+  def format_parameter(param, value)
+    if [true, false].include? value
+      return "#{value ? "" : "!"}#{param}"
+    elsif value.is_a?(String)
+      return "#{param}=\"#{@value}\""
+    else
+      return "#{param}=#{@value}"
+    end
+  end
+
+  def context_list(context, list)
+    if context == "global"
+      return ""
+    else
+      @CMAP = { "host" => '@', "user" => ':', "cmnd" => '!', "runas" => '>' }
+      return "#{@CMAP[context]}#{list.join(',')}"
+    end
+  end
+-%>
+Defaults<%= context_list(@context, @_list) %> <%= format_parameter(@param, @value) %>
diff --git a/templates/rule_line.erb b/templates/rule_line.erb
new file mode 100644 (file)
index 0000000..2f6a8c5
--- /dev/null
+++ b/templates/rule_line.erb
@@ -0,0 +1,22 @@
+<%- if @newline_before %>
+<% end -%>
+<%- if @_comment -%>
+<%= @_comment.gsub(/(.{1,78})( +|$\n?)|(.{1,78})/, "# \\1\\3\n") -%>
+<%- end -%>
+<%-
+  def rl(list)
+    if list.is_a?(Array)
+      return list.join(",")
+    else
+      return list
+    end
+  end
+  def render_cmnd_list(list)
+    if list.is_a?(Array)
+      return "\\\n  " + list.join(",\\\n  ")
+    else
+      return list
+    end
+  end
+-%>
+<%= "#{rl(@who)} #{rl(@where)} = (#{rl(@as_whom)}:#{rl(@as_group)})" %> <%= render_cmnd_list(@what) %>
diff --git a/templates/sudoers.erb b/templates/sudoers.erb
new file mode 100644 (file)
index 0000000..cb3b6a2
--- /dev/null
+++ b/templates/sudoers.erb
@@ -0,0 +1,6 @@
+# THIS FILE IS MANAGED BY PUPPET; CHANGES WILL BE OVERWRITTEN!
+<%- if @include_directory -%>
+
+# All includeiguration happens run-parts.d style in:
+#includedir <%= @include_directory %>
+<%- end -%>

Legalese

All content available in this repository is copyright © martin f. krafft, unless otherwise noted.

All files and their content are released under the terms of the Artistic Licence 2.0, unless otherwise noted.

The operator of this repository shall not be held liable for offending content in pages linking to or linked from these page, nor does he endorse their content unless stated otherwise.