Andrew Huffman - PR changes

ahuffman · ahuffman · commit c1fa3d382899 · 2016-10-18T15:14:23.000-04:00
diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,7 @@
 The MIT License (MIT)
 
 Copyright (c) 2016 Tyler Cross
+Copyright (c) 2016 Andrew Huffman
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/README.md b/README.md
@@ -1,68 +1,129 @@
-# sudoers
-> An Ansible role for comprehensive management of a sudoers configuration.
-
-[![Build Status](https://travis-ci.org/wtcross/ansible-sudoers.svg?branch=master)](https://travis-ci.org/wtcross/ansible-sudoers)
+# ahuffman.sudoers
+An Ansible role for configuring the /etc/sudoers file and /etc/sudoers.d files.
 
 This role makes it possible to completely define your sudoers configuration with Ansible. All of the following are configurable:
 - defaults
 - aliases
+  * Users
+  * Runas
+  * Hosts
+  * Commands
 - specifications
 
-*Tip:* Here's a [great document about sudoers configuration](https://help.ubuntu.com/community/Sudoers)
+## About and Usage
+The top level `/etc/sudoers` file can be kept as light as possible by specifying sudoer_separate_specs: True in either the defaults or your playbook. sudoer_separate_specs is set to True by default. 
+***Warning, this role will clean out /etc/sudoers.d/ if sudoer_separate_specs is set to false.  You will lose any files stored there even if not generated by this role. 
+
+If sudoer_separate_specs is set to true, it will  include all defaults and aliases in /etc/sudoers rather than breaking the specs out into their own files in /etc/sudoers.d/.
 
-## Design
-The top level `/etc/sudoers` file is kept as light as possible. It includes all defaults and aliases. All sudoer specifications will each be placed in their own file within the `/etc/sudoers.d/` directory. When it comes to sudoer specifications this role favors explicit over implicit configuration. That means you must set each of these properties for a specification:
+All sudoer specifications will each be placed in their own file within the `/etc/sudoers.d/` directory. A specification consists of the following:
 - `name`: the name of the specification (file name in `/etc/sudoers.d/`)
 - `users`: user list or user alias
 - `hosts`: host list or host alias
 - `operators`: operator list or runas alias
-- `commands`: command list or command alias
+- `commands`: command list or
 
 The following properties are optional:
 - `tags`: list of tags (ex: NOPASSWD)
+- `comment`: A comment you'd like to add to your spec for clarity
+
+Valid sudoer tags are: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT.
+
+User/Group specific defaults can be added to the defaults list by a preceding ':' followed by the user/group whitespace then the option.  For example:
+
+	---
+	sudoer_defaults:
+	  - :MONITOR_USER     !logfile
+
+
+This will generate a line:
+Defaults:MONITOR_USER    !logfile
+
 
 ## Example Playbook
-```yaml
-# a super contrived example
-- hosts: all
-
-  vars:
-    sudoer_aliases:
-      user:
-        - name: ADMINS
-          users:
-            - %admin
-      runas:
-        - name: ROOT
-          users:
-            - '#0'
-      host:
-        - name: SERVERS
-          hosts:
-            - 192.168.0.1
-            - 192.168.0.2
-      command:
-        - name: ADMIN_CMNDS
-          commands:
-            - /usr/sbin/passwd
-            - /usr/sbin/useradd
-            - /usr/sbin/userdel
-            - /usr/sbin/usermod
-            - /usr/sbin/visudo
-    sudoer_specs:
-      - name: administrators
-        users: ADMIN
-        hosts: SERVERS
-        operators: ROOT
-        tags:
-          - NOPASSWD
-        commands: ADMIN_CMNDS
-        defaults:
-          - '!requiretty'
-
-  roles:
-    - role: sudoers
-```
+	- hosts: all
+	  vars:
+	    sudoer_aliases:
+	      user:
+                - name: ADMINS
+                  comment: Group of admin users
+	          users:
+	            - %admin
+              runas:
+                - name: ROOT
+                  comment: Root stuff
+	          users:
+	            - '#0'
+	      host:
+                - name: SERVERS
+                  comment: XYZ servers
+	          hosts:
+	            - 192.168.0.1
+	            - 192.168.0.2
+	      command:
+                - name: ADMIN_CMNDS
+                  comment: Stuff admins need
+                  commands:
+	            - /usr/sbin/passwd
+	            - /usr/sbin/useradd
+	            - /usr/sbin/userdel
+	            - /usr/sbin/usermod
+	            - /usr/sbin/visudo
+	    sudoer_specs:
+	      - name: administrators
+                comment: Stuff for admins
+                users: ADMIN
+	        hosts: SERVERS
+	        operators: ROOT
+	        tags:
+	          - NOPASSWD
+	        commands: ADMIN_CMNDS
+
+	  roles:
+	    - ahuffman.sudoers
+
+
+## Defaults:
+sudoer_aliases: {}   
+sudoer_specs: []   
+sudoer_defaults:   
+* #  - requiretty (disabled, just uncomment if required)
+*  - "!visiblepw"
+*  - always_set_home
+*  - env_reset
+*  - env_keep:
+    - COLORS
+    - DISPLAY
+    - HOSTNAME
+    - HISTSIZE
+    - INPUTRC
+    - KDEDIR
+    - LS_COLORS
+    - MAIL
+    - PS1
+    - PS2
+    - QTDIR
+    - USERNAME
+    - LANG
+    - LC_ADDRESS
+    - LC_CTYPE
+    - LC_COLLATE
+    - LC_IDENTIFICATION
+    - LC_MEASUREMENT
+    - LC_MESSAGES
+    - LC_MONETARY
+    - LC_NAME
+    - LC_NUMERIC
+    - LC_PAPER
+    - LC_TELEPHONE
+    - LC_TIME
+    - LC_ALL
+    - LANGUAGE
+    - LINGUAS
+    - _XKB_CHARSET
+    - XAUTHORITY
+*  - secure_path: /sbin:/bin:/usr/sbin:/usr/bin
+* sudoer_separate_specs: True
 
 ## Requirements
 The host operating system must be a member of one of the following OS families:
@@ -79,27 +140,30 @@ None
 # host alias
 name: string
 hosts: string|[hostnames]
+comment: string #procedes the alias with a comment
 
 # user alias
 name: string
 users: string|[username|%group]
+comment: string #procedes the alias with a comment
 
 # runas alias
 name: string
 users: string|[username|%group|#uid]
+comment: string #procedes the alias with a comment
 
 # cmnd alias
 name: string
 commands: string|[string]
+comment: string #procedes the alias with a comment
 
 # sudoer specification
 name: string
 users: string|[string]
 hosts: string|[string]
 operators: string|[string]
 tags: string|[string]
-defaults: string|[string]
-```
+comment: string #procedes the alias with a comment
 
 ## Role Variables
 - `sudoer_aliases`: a dictionary that specifies which aliases to configure
@@ -113,6 +177,14 @@ defaults: string|[string]
     - `string`
     - `string: string`
     - `string: [string]`
+```
 
 ## License
 [MIT](LICENSE)
+
+## Author Information
+### Original Author: 
+[Tyler Cross](https://github.com/wtcross)
+
+### Improved By: 
+[Andrew J. Huffman](https://github.com/ahuffman)
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -2,7 +2,7 @@
 sudoer_aliases: {}
 sudoer_specs: []
 sudoer_defaults:
-  - requiretty
+#  - requiretty
   - "!visiblepw"
   - always_set_home
   - env_reset
@@ -38,3 +38,4 @@ sudoer_defaults:
     - _XKB_CHARSET
     - XAUTHORITY
   - secure_path: /sbin:/bin:/usr/sbin:/usr/bin
+sudoer_separate_specs: True
diff --git a/meta/main.yml b/meta/main.yml
@@ -1,10 +1,11 @@
 galaxy_info:
-  author: Tyler Cross
-  description:
-  issue_tracker_url: https://github.com/wtcross/ansible-sudoers/issues
+  author: 
+    - Tyler Cross
+    - Andrew J. Huffman
+  description: Controls the configuration of the sudoers file and /etc/sudoers.d/ files
   license: MIT
   min_ansible_version: 1.2
-  github_branch: master
+  #github_branch: master
   platforms:
     - name: EL
       versions:
@@ -31,6 +32,7 @@ galaxy_info:
   galaxy_tags:
     - sudo
     - sudoers
+    - sudoers.d
     - admin
     - system
 
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -4,20 +4,20 @@
     name: sudo
     update_cache: yes
     state: present
-  when: "{{ ansible_os_family == 'RedHat' }}"
+  when: ansible_os_family == 'RedHat'
 
 - name: Ensure sudo is installed for Debian family OSs
   apt:
     name: sudo
     update_cache: yes
     state: present
-  when: "{{ ansible_os_family == 'Debian' }}"
+  when: ansible_os_family == 'Debian'
 
 - name: Ensure sudo is installed for SUSE family OSs
   zypper:
     name: sudo
     state: present
-  when: "{{ ansible_os_family == 'SUSE' }}"
+  when: ansible_os_family == 'SUSE'
 
 - name: Ensure the sudoers.d directory is created
   file:
@@ -27,42 +27,62 @@
     mode: 0755
     state: directory
 
-- name: Find all existing sudoer specs
+- name: Ensure the sudoers file is valid and up to date (separate specs)
+  template:
+    src: sudoers_nospec.j2
+    dest: /etc/sudoers
+    owner: root
+    group: root
+    mode: 0440
+    validate: visudo -cf %s
+  when: sudoer_separate_specs == True
+
+- name: Ensure the sudoers file is valid and up to date (specs all in one)
+  template:
+    src: sudoers_plus_spec.j2
+    dest: /etc/sudoers
+    owner: root
+    group: root
+    mode: 0440
+    validate: visudo -cf %s
+  when: sudoer_separate_specs == False
+
+- name: Find all existing separate sudoer specs
   shell: find /etc/sudoers.d -type f -printf "%f\n"
   register: existing_sudoer_spec_list
   changed_when: False
 
-- name: Get a list of all existing sudoer specs
+- name: Get a list of all existing separate sudoer specs
   set_fact:
     existing_sudoer_specs: "{{ existing_sudoer_spec_list.stdout_lines }}"
   changed_when: False
 
-- name: Get a list of all authorized sudoer spec names
+- name: Get a list of all authorized separate sudoer spec names
   set_fact:
     authorized_sudoer_specs: "{{ sudoer_specs | map(attribute='name') | list }}"
   changed_when: False
 
-- name: Ensure all authorized sudoer specs are properly configured
+- name: Ensure all authorized separate sudoer specs are properly configured
   template:
     src: sudoer_spec.j2
     dest: "/etc/sudoers.d/{{ item.name }}"
     owner: root
     group: root
     mode: 0440
     validate: visudo -cf %s
-  with_items: "{{ sudoer_specs }}"
-
-- name: Ensure the sudoers file is valid and up to date
-  template:
-    src: sudoers.j2
-    dest: /etc/sudoers
-    owner: root
-    group: root
-    mode: 0440
-    validate: visudo -cf %s
+  with_items: '{{ sudoer_specs }}'
+  when: sudoer_separate_specs == True
 
-- name: Remove sudoers that are not authorized
+- name: Remove separate sudoer specs that are not authorized
   file:
     path: "/etc/sudoers.d/{{ item }}"
     state: absent
   with_items: "{{ existing_sudoer_specs | difference(authorized_sudoer_specs) }}"
+  when: sudoer_separate_specs == True
+
+- name: Remove separate sudoer specs if not using separate specs
+  file:
+    path: "/etc/sudoers.d/{{ item }}"
+    state: absent
+  with_items: "{{ existing_sudoer_specs }}"
+  when: sudoer_separate_specs == False
diff --git a/templates/sudoer_spec.j2 b/templates/sudoer_spec.j2
@@ -1,4 +1,6 @@
-{% if item.defaults is defined and item.defaults %}
-Defaults:{{ item.users | to_list | join(',') }} {{ item.defaults | to_list | join(',') }}
+#{{ ansible_managed }}
+
+{% if item.comment is defined and item.comment %}
+#{{ item.comment }}
 {% endif %}
 {{ item.users | to_list | join(',') }} {{ item.hosts | to_list | join(',') }}={% if item.operators is defined and item.operators %}({{ item.operators | to_list | join(',') }}){% endif %} {% if item.tags is defined and item.tags %}{{ item.tags | to_list | join(':') }}: {% endif %}{{ item.commands | to_list | join(',') }}
diff --git a/templates/sudoers_nospec.j2 b/templates/sudoers_nospec.j2
diff --git a/templates/sudoers_plus_spec.j2 b/templates/sudoers_plus_spec.j2

-Original file line number
+Diff line change
 +#{{ ansible_managed }}
++
 +{% for default in sudoer_defaults %}
 +{% if default is mapping %}
 +{% for name, values in default.iteritems() %}
 +{% for items in values | to_list | slice(6) %}
 +{% if items %}
 +Defaults    {{ name }} {% if not loop.first %}+{% endif %}= "{{ items | to_list | join(' ') }}"
 +{% endif -%}
 +{% endfor %}
 +{% endfor %}
 +{% elif default|first == ':' %}
 +Defaults{{ default }}
 +{% else %}
 +Defaults    {{ default }}
 +{% endif %}
 +{% endfor %}
++
 +{% if sudoer_aliases.user is defined and sudoer_aliases.user %}
 +#User Aliases
 +{% for alias in sudoer_aliases.user %}
 +{% if alias.comment is defined and alias.comment %}
 +#**{{ alias.comment }}
 +{% endif %}
 +User_Alias {{ alias.name }} = {{ alias.users | join(',') }}
 +{% endfor %}
++
 +{% endif %}
 +{% if sudoer_aliases.runas is defined and sudoer_aliases.runas %}
 +#Runas Aliases
 +{% for alias in sudoer_aliases.runas %}
 +{% if alias.comment is defined and alias.comment %}
 +#**{{ alias.comment }}
 +{% endif %}
 +Runas_Alias {{ alias.name }} = {{ alias.users | join(',') }}
 +{% endfor %}
++
 +{% endif %}
 +{% if sudoer_aliases.host is defined and sudoer_aliases.host %}
 +#Host Aliases
 +{% for alias in sudoer_aliases.host %}
 +{% if alias.comment is defined and alias.comment %}
 +#**{{ alias.comment }}
 +{% endif %}
 +Host_Alias {{ alias.name }} = {{ alias.hosts | join(',') }}
 +{% endfor %}
++
 +{% endif %}
 +{% if sudoer_aliases.command is defined and sudoer_aliases.command %}
 +#Command Aliases
 +{% for alias in sudoer_aliases.command %}
 +{% if alias.comment is defined and alias.comment %}
 +#**{{ alias.comment }}
 +{% endif %}
 +Cmnd_Alias {{ alias.name }} = {{ alias.commands | join(',') }}
 +{% endfor %}
++
 +{% endif %}
++
 +## Allow root to run any commands anywhere
 +root	ALL=(ALL) 	ALL
++
 +# Include all sudoer specifications
 +#includedir /etc/sudoers.d