From dc0a5585fb036fbeba2200564e26c478465afeec Mon Sep 17 00:00:00 2001

From: Rafael Guterres Jeffman <rjeffman@redhat.com>

Date: Tue, 31 Dec 2019 11:04:49 -0300

Subject: [PATCH] Add missing attributes to ipasudorule.

This patch adds the following attributes to ipasudorule:

    - order

    - sudooption

    - runasuser

    - runasgroup

It also fixes behavior of sudocmd assigned to the the sudorule, with the

adittion of the attributes:

    - allow_sudocmds

    - deny_sudocmds

    - allow_sudocmdgroups

    - deny_sudocmdgroups

README-sudorule and tests have been updated to comply with the changes.

---

 README-sudorule.md                            |  14 +-

 ...sure-sudorule-does-not-have-sudooption.yml |  14 +

 .../ensure-sudorule-has-sudooption.yml        |  13 +

 .../ensure-sudorule-is-present-with-order.yml |  12 +

 .../sudorule/ensure-sudorule-is-present.yml   |   2 +

 .../ensure-sudorule-runasuser-is-absent.yml   |  14 +

 .../ensure-sudorule-runasuser-is-present.yml  |  13 +

 .../ensure-sudorule-sudocmd-is-absent.yml     |   7 +-

 .../ensure-sudorule-sudocmd-is-present.yml    |   7 +-

 plugins/modules/ipasudorule.py                | 353 +++++++++++++-----

 tests/sudorule/test_sudorule.yml              | 204 +++++++---

 11 files changed, 504 insertions(+), 149 deletions(-)

 create mode 100644 playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml

 create mode 100644 playbooks/sudorule/ensure-sudorule-has-sudooption.yml

 create mode 100644 playbooks/sudorule/ensure-sudorule-is-present-with-order.yml

 create mode 100644 playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml

 create mode 100644 playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml

diff --git a/README-sudorule.md b/README-sudorule.md

index bb3498b..50c73ad 100644

--- a/README-sudorule.md

+++ b/README-sudorule.md

@@ -68,7 +68,7 @@ Example playbook to make sure sudocmds are present in Sudo Rule:

   - ipasudorule:

       ipaadmin_password: MyPassword123

       name: testrule1

-      cmd:

+      allow_sudocmd:

       - /sbin/ifconfig

       action: member

 ```

@@ -87,7 +87,7 @@ Example playbook to make sure sudocmds are not present in Sudo Rule:

   - ipasudorule:

       ipaadmin_password: MyPassword123

       name: testrule1

-      cmd:

+      allow_sudocmd:

       - /sbin/ifconfig

       action: member

       state: absent

@@ -130,8 +130,14 @@ Variable | Description | Required

 `hostgroup` | List of host group name strings assigned to this sudorule. | no

 `user` | List of user name strings assigned to this sudorule. | no

 `group` | List of user group name strings assigned to this sudorule. | no

-`cmd` | List of sudocmd name strings assigned to this sudorule. | no

-`cmdgroup` | List of sudocmd group name strings assigned wto this sudorule. | no

+`allow_sudocmd` | List of sudocmd name strings assigned to the allow group of this sudorule. | no

+`deny_sudocmd` | List of sudocmd name strings assigned to the deny group of this sudorule. | no

+`allow_sudocmdgroup` | List of sudocmd groups name strings assigned to the allow group of this sudorule. | no

+`deny_sudocmdgroup` | List of sudocmd groups name strings assigned to the deny group of this sudorule. | no

+`sudooption` \| `option` | List of options to the sudorule | no

+`order` | Integer to order the sudorule | no

+`runasuser` | List of users for Sudo to execute as. | no

+`runasgroup` | List of groups for Sudo to execute as. | no

 `action` | Work on sudorule or member level. It can be on of `member` or `sudorule` and defaults to `sudorule`. | no

 `state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no

diff --git a/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml b/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml

new file mode 100644

index 0000000..1307044

--- /dev/null

+++ b/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml

@@ -0,0 +1,14 @@

+---

+- name: Tests

+  hosts: ipaserver

+  become: true

+  gather_facts: false

+

+  tasks:

+  # Ensure sudooption is absent in sudorule

+  - ipasudorule:

+      ipaadmin_password: MyPassword123

+      name: testrule1

+      sudooption: "!root"

+      action: member

+      state: absent

diff --git a/playbooks/sudorule/ensure-sudorule-has-sudooption.yml b/playbooks/sudorule/ensure-sudorule-has-sudooption.yml

new file mode 100644

index 0000000..1f32b9a

--- /dev/null

+++ b/playbooks/sudorule/ensure-sudorule-has-sudooption.yml

@@ -0,0 +1,13 @@

+---

+- name: Tests

+  hosts: ipaserver

+  become: true

+  gather_facts: false

+

+  tasks:

+  # Ensure sudooption is present in sudorule

+  - ipasudorule:

+      ipaadmin_password: MyPassword123

+      name: testrule1

+      sudooption: "!root"

+      action: member

diff --git a/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml b/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml

new file mode 100644

index 0000000..9a3c2b2

--- /dev/null

+++ b/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml

@@ -0,0 +1,12 @@

+---

+- name: Tests

+  hosts: ipaserver

+  become: true

+  gather_facts: false

+

+  tasks:

+  # Ensure sudorule is present with the given order.

+  - ipasudorule:

+      ipaadmin_password: MyPassword123

+      name: testrule1

+      order: 2

diff --git a/playbooks/sudorule/ensure-sudorule-is-present.yml b/playbooks/sudorule/ensure-sudorule-is-present.yml

index 5b8f32b..89041af 100644

--- a/playbooks/sudorule/ensure-sudorule-is-present.yml

+++ b/playbooks/sudorule/ensure-sudorule-is-present.yml

@@ -9,4 +9,6 @@

       ipaadmin_password: MyPassword123

       name: testrule1

       description: A test sudo rule.

+      allow_sudocmd: /bin/ls

+      deny_sudocmd: /bin/vim

       state: present

diff --git a/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml b/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml

new file mode 100644

index 0000000..56612f1

--- /dev/null

+++ b/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml

@@ -0,0 +1,14 @@

+---

+- name: Tests

+  hosts: ipaserver

+  become: true

+  gather_facts: false

+

+  tasks:

+  # Ensure sudorule is present with the given order.

+  - ipasudorule:

+      ipaadmin_password: MyPassword123

+      name: testrule1

+      runasuser: admin

+      action: member

+      state: absent

diff --git a/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml b/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml

new file mode 100644

index 0000000..8af49b9

--- /dev/null

+++ b/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml

@@ -0,0 +1,13 @@

+---

+- name: Tests

+  hosts: ipaserver

+  become: true

+  gather_facts: false

+

+  tasks:

+  # Ensure sudorule is present with the given order.

+  - ipasudorule:

+      ipaadmin_password: MyPassword123

+      name: testrule1

+      runasuser: admin

+      action: member

diff --git a/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml b/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml

index 942d0b5..328242a 100644

--- a/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml

+++ b/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml

@@ -8,8 +8,13 @@

   - ipasudorule:

       ipaadmin_password: MyPassword123

       name: testrule1

-      cmd:

+      allow_sudocmd:

       - /sbin/ifconfig

+      deny_sudocmd:

       - /usr/bin/vim

+      allow_sudocmdgroup:

+      - devops

+      deny_sudocmdgroup:

+      - users

       action: member

       state: absent

diff --git a/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml b/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml

index 61fcbb0..55acd61 100644

--- a/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml

+++ b/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml

@@ -8,7 +8,12 @@

   - ipasudorule:

       ipaadmin_password: MyPassword123

       name: testrule1

-      cmd:

+      allow_sudocmd:

       - /sbin/ifconfig

+      deny_sudocmd:

       - /usr/bin/vim

+      allow_sudocmdgroup:

+      - devops

+      deny_sudocmdgroup:

+      - users

       action: member

diff --git a/plugins/modules/ipasudorule.py b/plugins/modules/ipasudorule.py

index c21f247..285a946 100644

--- a/plugins/modules/ipasudorule.py

+++ b/plugins/modules/ipasudorule.py

@@ -79,18 +79,43 @@

     description: Host category the sudo rule applies to.

     required: false

     choices: ["all"]

-  cmd:

-    description: List of sudocmds assigned to this sudorule.

+  allow_sudocmd:

+    description: List of allowed sudocmds assigned to this sudorule.

     required: false

     type: list

-  cmdgroup:

-    description: List of sudocmd groups assigned to this sudorule.

+  allow_sudocmdgroup:

+    description: List of allowed sudocmd groups assigned to this sudorule.

+    required: false

+    type: list

+  deny_sudocmd:

+    description: List of denied sudocmds assigned to this sudorule.

+    required: false

+    type: list

+  deny_sudocmdgroup:

+    description: List of denied sudocmd groups assigned to this sudorule.

     required: false

     type: list

   cmdcategory:

-    description: Cammand category the sudo rule applies to

+    description: Command category the sudo rule applies to

     required: false

     choices: ["all"]

+  order:

+    description: Order to apply this rule.

+    required: false

+    type: int

+  sudooption:

+    description:

+    required: false

+    type: list

+    aliases: ["options"]

+  runasuser:

+    description: List of users for Sudo to execute as.

+    required: false

+    type: list

+  runasgroup:

+    description: List of groups for Sudo to execute as.

+    required: false

+    type: list

   action:

     description: Work on sudorule or member level

     default: sudorule

@@ -111,13 +136,13 @@

 # Ensure sudocmd is present in Sudo Rule

 - ipasudorule:

-  ipaadmin_password: pass1234

-  name: testrule1

-  cmd:

-  - /sbin/ifconfig

-  - /usr/bin/vim

-  action: member

-  state: absent

+    ipaadmin_password: pass1234

+    name: testrule1

+    allow_sudocmd:

+      - /sbin/ifconfig

+      - /usr/bin/vim

+    action: member

+    state: absent

 # Ensure host server is present in Sudo Rule

 - ipasudorule:

@@ -160,7 +185,7 @@

 from ansible.module_utils.basic import AnsibleModule

 from ansible.module_utils.ansible_freeipa_module import temp_kinit, \

     temp_kdestroy, valid_creds, api_connect, api_command, compare_args_ipa, \

-    module_params_get

+    module_params_get, gen_add_del_lists

 def find_sudorule(module, name):

@@ -180,14 +205,26 @@ def find_sudorule(module, name):

         return None

-def gen_args(ansible_module):

-    arglist = ['description', 'usercategory', 'hostcategory', 'cmdcategory',

-               'runasusercategory', 'runasgroupcategory', 'nomembers']

+def gen_args(description, usercat, hostcat, cmdcat, runasusercat,

+             runasgroupcat, order, nomembers):

     _args = {}

-    for arg in arglist:

-        value = module_params_get(ansible_module, arg)

-        if value is not None:

-            _args[arg] = value

+

+    if description is not None:

+        _args['description'] = description

+    if usercat is not None:

+        _args['usercategory'] = usercat

+    if hostcat is not None:

+        _args['hostcategory'] = hostcat

+    if cmdcat is not None:

+        _args['cmdcategory'] = cmdcat

+    if runasusercat is not None:

+        _args['ipasudorunasusercategory'] = runasusercat

+    if runasgroupcat is not None:

+        _args['ipasudorunasgroupcategory'] = runasgroupcat

+    if order is not None:

+        _args['sudoorder'] = order

+    if nomembers is not None:

+        _args['nomembers'] = nomembers

     return _args

@@ -212,13 +249,21 @@ def main():

             hostgroup=dict(required=False, type='list', default=None),

             user=dict(required=False, type='list', default=None),

             group=dict(required=False, type='list', default=None),

-            cmd=dict(required=False, type="list", default=None),

+            allow_sudocmd=dict(required=False, type="list", default=None),

+            deny_sudocmd=dict(required=False, type="list", default=None),

+            allow_sudocmdgroup=dict(required=False, type="list", default=None),

+            deny_sudocmdgroup=dict(required=False, type="list", default=None),

             cmdcategory=dict(required=False, type="str", default=None,

                              choices=["all"]),

             runasusercategory=dict(required=False, type="str", default=None,

                                    choices=["all"]),

             runasgroupcategory=dict(required=False, type="str", default=None,

                                     choices=["all"]),

+            runasuser=dict(required=False, type="list", default=None),

+            runasgroup=dict(required=False, type="list", default=None),

+            order=dict(type="int", required=False, aliases=['sudoorder']),

+            sudooption=dict(required=False, type='list', default=None,

+                            aliases=["options"]),

             action=dict(type="str", default="sudorule",

                         choices=["member", "sudorule"]),

             # state

@@ -256,8 +301,16 @@ def main():

     hostgroup = module_params_get(ansible_module, "hostgroup")

     user = module_params_get(ansible_module, "user")

     group = module_params_get(ansible_module, "group")

-    cmd = module_params_get(ansible_module, 'cmd')

-    cmdgroup = module_params_get(ansible_module, 'cmdgroup')

+    allow_sudocmd = module_params_get(ansible_module, 'allow_sudocmd')

+    allow_sudocmdgroup = module_params_get(ansible_module,

+                                           'allow_sudocmdgroup')

+    deny_sudocmd = module_params_get(ansible_module, 'deny_sudocmd')

+    deny_sudocmdgroup = module_params_get(ansible_module,

+                                          'deny_sudocmdgroup')

+    sudooption = module_params_get(ansible_module, "sudooption")

+    order = module_params_get(ansible_module, "order")

+    runasuser = module_params_get(ansible_module, "runasuser")

+    runasgroup = module_params_get(ansible_module, "runasgroup")

     action = module_params_get(ansible_module, "action")

     # state

@@ -272,28 +325,30 @@ def main():

         if action == "member":

             invalid = ["description", "usercategory", "hostcategory",

                        "cmdcategory", "runasusercategory",

-                       "runasgroupcategory", "nomembers"]

+                       "runasgroupcategory", "order", "nomembers"]

-            for x in invalid:

-                if x in vars() and vars()[x] is not None:

+            for arg in invalid:

+                if arg in vars() and vars()[arg] is not None:

                     ansible_module.fail_json(

                         msg="Argument '%s' can not be used with action "

-                        "'%s'" % (x, action))

+                        "'%s'" % (arg, action))

     elif state == "absent":

         if len(names) < 1:

             ansible_module.fail_json(msg="No name given.")

         invalid = ["description", "usercategory", "hostcategory",

                    "cmdcategory", "runasusercategory",

-                   "runasgroupcategory", "nomembers"]

+                   "runasgroupcategory", "nomembers", "order"]

         if action == "sudorule":

             invalid.extend(["host", "hostgroup", "user", "group",

-                            "cmd", "cmdgroup"])

-        for x in invalid:

-            if vars()[x] is not None:

+                            "runasuser", "runasgroup", "allow_sudocmd",

+                            "allow_sudocmdgroup", "deny_sudocmd",

+                            "deny_sudocmdgroup", "sudooption"])

+        for arg in invalid:

+            if vars()[arg] is not None:

                 ansible_module.fail_json(

                     msg="Argument '%s' can not be used with state '%s'" %

-                    (x, state))

+                    (arg, state))

     elif state in ["enabled", "disabled"]:

         if len(names) < 1:

@@ -305,12 +360,14 @@ def main():

         invalid = ["description", "usercategory", "hostcategory",

                    "cmdcategory", "runasusercategory", "runasgroupcategory",

                    "nomembers", "nomembers", "host", "hostgroup",

-                   "user", "group", "cmd", "cmdgroup"]

-        for x in invalid:

-            if vars()[x] is not None:

+                   "user", "group", "allow_sudocmd", "allow_sudocmdgroup",

+                   "deny_sudocmd", "deny_sudocmdgroup", "runasuser",

+                   "runasgroup", "order", "sudooption"]

+        for arg in invalid:

+            if vars()[arg] is not None:

                 ansible_module.fail_json(

                     msg="Argument '%s' can not be used with state '%s'" %

-                    (x, state))

+                    (arg, state))

     else:

         ansible_module.fail_json(msg="Invalid state '%s'" % state)

@@ -335,7 +392,9 @@ def main():

             # Create command

             if state == "present":

                 # Generate args

-                args = gen_args(ansible_module)

+                args = gen_args(description, usercategory, hostcategory,

+                                cmdcategory, runasusercategory,

+                                runasgroupcategory, order, nomembers)

                 if action == "sudorule":

                     # Found the sudorule

                     if res_find is not None:

@@ -351,44 +410,42 @@ def main():

                         res_find = {}

                     # Generate addition and removal lists

-                    host_add = list(

-                        set(host or []) -

-                        set(res_find.get("member_host", [])))

-                    host_del = list(

-                        set(res_find.get("member_host", [])) -

-                        set(host or []))

-                    hostgroup_add = list(

-                        set(hostgroup or []) -

-                        set(res_find.get("member_hostgroup", [])))

-                    hostgroup_del = list(

-                        set(res_find.get("member_hostgroup", [])) -

-                        set(hostgroup or []))

-

-                    user_add = list(

-                        set(user or []) -

-                        set(res_find.get("member_user", [])))

-                    user_del = list(

-                        set(res_find.get("member_user", [])) -

-                        set(user or []))

-                    group_add = list(

-                        set(group or []) -

-                        set(res_find.get("member_group", [])))

-                    group_del = list(

-                        set(res_find.get("member_group", [])) -

-                        set(group or []))

-

-                    cmd_add = list(

-                        set(cmd or []) -

-                        set(res_find.get("member_cmd", [])))

-                    cmd_del = list(

-                        set(res_find.get("member_cmd", [])) -

-                        set(cmd or []))

-                    cmdgroup_add = list(

-                        set(cmdgroup or []) -

-                        set(res_find.get("member_cmdgroup", [])))

-                    cmdgroup_del = list(

-                        set(res_find.get("member_cmdgroup", [])) -

-                        set(cmdgroup or []))

+                    host_add, host_del = gen_add_del_lists(

+                        host, res_find.get('member_host', []))

+

+                    hostgroup_add, hostgroup_del = gen_add_del_lists(

+                        hostgroup, res_find.get('member_hostgroup', []))

+

+                    user_add, user_del = gen_add_del_lists(

+                        user, res_find.get('member_user', []))

+

+                    group_add, group_del = gen_add_del_lists(

+                        group, res_find.get('member_group', []))

+

+                    allow_cmd_add, allow_cmd_del = gen_add_del_lists(

+                        allow_sudocmd,

+                        res_find.get('memberallowcmd_sudocmd', []))

+

+                    allow_cmdgroup_add, allow_cmdgroup_del = gen_add_del_lists(

+                        allow_sudocmdgroup,

+                        res_find.get('memberallowcmd_sudocmdgroup', []))

+

+                    deny_cmd_add, deny_cmd_del = gen_add_del_lists(

+                        deny_sudocmd,

+                        res_find.get('memberdenycmd_sudocmd', []))

+

+                    deny_cmdgroup_add, deny_cmdgroup_del = gen_add_del_lists(

+                        deny_sudocmdgroup,

+                        res_find.get('memberdenycmd_sudocmdgroup', []))

+

+                    sudooption_add, sudooption_del = gen_add_del_lists(

+                        sudooption, res_find.get('ipasudoopt', []))

+

+                    runasuser_add, runasuser_del = gen_add_del_lists(

+                        runasuser, res_find.get('ipasudorunas_user', []))

+

+                    runasgroup_add, runasgroup_del = gen_add_del_lists(

+                        runasgroup, res_find.get('ipasudorunas_group', []))

                     # Add hosts and hostgroups

                     if len(host_add) > 0 or len(hostgroup_add) > 0:

@@ -420,20 +477,59 @@ def main():

                                              "group": group_del,

                                          }])

-                    # Add commands

-                    if len(cmd_add) > 0 or len(cmdgroup_add) > 0:

+                    # Add commands allowed

+                    if len(allow_cmd_add) > 0 or len(allow_cmdgroup_add) > 0:

                         commands.append([name, "sudorule_add_allow_command",

-                                         {

-                                             "sudocmd": cmd_add,

-                                             "sudocmdgroup": cmdgroup_add,

-                                         }])

-

-                    if len(cmd_del) > 0 or len(cmdgroup_del) > 0:

+                                         {"sudocmd": allow_cmd_add,

+                                          "sudocmdgroup": allow_cmdgroup_add,

+                                          }])

+

+                    if len(allow_cmd_del) > 0 or len(allow_cmdgroup_del) > 0:

+                        commands.append([name, "sudorule_remove_allow_command",

+                                         {"sudocmd": allow_cmd_del,

+                                          "sudocmdgroup": allow_cmdgroup_del

+                                          }])

+

+                    # Add commands denied

+                    if len(deny_cmd_add) > 0 or len(deny_cmdgroup_add) > 0:

                         commands.append([name, "sudorule_add_deny_command",

-                                         {

-                                             "sudocmd": cmd_del,

-                                             "sudocmdgroup": cmdgroup_del

-                                         }])

+                                         {"sudocmd": deny_cmd_add,

+                                          "sudocmdgroup": deny_cmdgroup_add,

+                                          }])

+

+                    if len(deny_cmd_del) > 0 or len(deny_cmdgroup_del) > 0:

+                        commands.append([name, "sudorule_remove_deny_command",

+                                         {"sudocmd": deny_cmd_del,

+                                          "sudocmdgroup": deny_cmdgroup_del

+                                          }])

+

+                    # Add RunAS Users

+                    if len(runasuser_add) > 0:

+                        commands.append([name, "sudorule_add_runasuser",

+                                         {"user": runasuser_add}])

+                    # Remove RunAS Users

+                    if len(runasuser_del) > 0:

+                        commands.append([name, "sudorule_remove_runasuser",

+                                         {"user": runasuser_del}])

+

+                    # Add RunAS Groups

+                    if len(runasgroup_add) > 0:

+                        commands.append([name, "sudorule_add_runasgroup",

+                                         {"group": runasgroup_add}])

+                    # Remove RunAS Groups

+                    if len(runasgroup_del) > 0:

+                        commands.append([name, "sudorule_remove_runasgroup",

+                                         {"group": runasgroup_del}])

+

+                    # Add sudo options

+                    for sudoopt in sudooption_add:

+                        commands.append([name, "sudorule_add_option",

+                                         {"ipasudoopt": sudoopt}])

+

+                    # Remove sudo options

+                    for sudoopt in sudooption_del:

+                        commands.append([name, "sudorule_remove_option",

+                                         {"ipasudoopt": sudoopt}])

                 elif action == "member":

                     if res_find is None:

@@ -456,11 +552,38 @@ def main():

                                          }])

                     # Add commands

-                    if cmd is not None:

+                    if allow_sudocmd is not None \

+                       or allow_sudocmdgroup is not None:

                         commands.append([name, "sudorule_add_allow_command",

-                                         {

-                                             "sudocmd": cmd,

-                                         }])

+                                         {"sudocmd": allow_sudocmd,

+                                          "sudocmdgroup": allow_sudocmdgroup,

+                                          }])

+

+                    # Add commands

+                    if deny_sudocmd is not None \

+                       or deny_sudocmdgroup is not None:

+                        commands.append([name, "sudorule_add_deny_command",

+                                         {"sudocmd": deny_sudocmd,

+                                          "sudocmdgroup": deny_sudocmdgroup,

+                                          }])

+

+                    # Add RunAS Users

+                    if runasuser is not None:

+                        commands.append([name, "sudorule_add_runasuser",

+                                         {"user": runasuser}])

+

+                    # Add RunAS Groups

+                    if runasgroup is not None:

+                        commands.append([name, "sudorule_add_runasgroup",

+                                         {"group": runasgroup}])

+

+                    # Add options

+                    if sudooption is not None:

+                        existing_opts = res_find.get('ipasudoopt', [])

+                        for sudoopt in sudooption:

+                            if sudoopt not in existing_opts:

+                                commands.append([name, "sudorule_add_option",

+                                                 {"ipasudoopt": sudoopt}])

             elif state == "absent":

                 if action == "sudorule":

@@ -487,12 +610,40 @@ def main():

                                              "group": group,

                                          }])

-                    # Remove commands

-                    if cmd is not None:

-                        commands.append([name, "sudorule_add_deny_command",

-                                         {

-                                             "sudocmd": cmd,

-                                         }])

+                    # Remove allow commands

+                    if allow_sudocmd is not None \

+                       or allow_sudocmdgroup is not None:

+                        commands.append([name, "sudorule_remove_allow_command",

+                                         {"sudocmd": allow_sudocmd,

+                                          "sudocmdgroup": allow_sudocmdgroup

+                                          }])

+

+                    # Remove deny commands

+                    if deny_sudocmd is not None \

+                       or deny_sudocmdgroup is not None:

+                        commands.append([name, "sudorule_remove_deny_command",

+                                         {"sudocmd": deny_sudocmd,

+                                          "sudocmdgroup": deny_sudocmdgroup

+                                          }])

+

+                    # Remove RunAS Users

+                    if runasuser is not None:

+                        commands.append([name, "sudorule_remove_runasuser",

+                                         {"user": runasuser}])

+

+                    # Remove RunAS Groups

+                    if runasgroup is not None:

+                        commands.append([name, "sudorule_remove_runasgroup",

+                                         {"group": runasgroup}])

+

+                    # Remove options

+                    if sudooption is not None:

+                        existing_opts = res_find.get('ipasudoopt', [])

+                        for sudoopt in sudooption:

+                            if sudoopt in existing_opts:

+                                commands.append([name,

+                                                 "sudorule_remove_option",

+                                                 {"ipasudoopt": sudoopt}])

             elif state == "enabled":

                 if res_find is None:

@@ -530,9 +681,9 @@ def main():

                         changed = True

                 else:

                     changed = True

-            except Exception as e:

+            except Exception as ex:

                 ansible_module.fail_json(msg="%s: %s: %s" % (command, name,

-                                                             str(e)))

+                                                             str(ex)))

             # Get all errors

             # All "already a member" and "not a member" failures in the

             # result are ignored. All others are reported.

@@ -549,8 +700,8 @@ def main():

         if len(errors) > 0:

             ansible_module.fail_json(msg=", ".join(errors))

-    except Exception as e:

-        ansible_module.fail_json(msg=str(e))

+    except Exception as ex:

+        ansible_module.fail_json(msg=str(ex))

     finally:

         temp_kdestroy(ccache_dir, ccache_name)

diff --git a/tests/sudorule/test_sudorule.yml b/tests/sudorule/test_sudorule.yml

index 88ed90a..25090bb 100644