From dc0a5585fb036fbeba2200564e26c478465afeec Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Tue, 31 Dec 2019 11:04:49 -0300
Subject: [PATCH] Add missing attributes to ipasudorule.
This patch adds the following attributes to ipasudorule:
- order
- sudooption
- runasuser
- runasgroup
It also fixes behavior of sudocmd assigned to the the sudorule, with the
adittion of the attributes:
- allow_sudocmds
- deny_sudocmds
- allow_sudocmdgroups
- deny_sudocmdgroups
README-sudorule and tests have been updated to comply with the changes.
---
README-sudorule.md | 14 +-
...sure-sudorule-does-not-have-sudooption.yml | 14 +
.../ensure-sudorule-has-sudooption.yml | 13 +
.../ensure-sudorule-is-present-with-order.yml | 12 +
.../sudorule/ensure-sudorule-is-present.yml | 2 +
.../ensure-sudorule-runasuser-is-absent.yml | 14 +
.../ensure-sudorule-runasuser-is-present.yml | 13 +
.../ensure-sudorule-sudocmd-is-absent.yml | 7 +-
.../ensure-sudorule-sudocmd-is-present.yml | 7 +-
plugins/modules/ipasudorule.py | 353 +++++++++++++-----
tests/sudorule/test_sudorule.yml | 204 +++++++---
11 files changed, 504 insertions(+), 149 deletions(-)
create mode 100644 playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml
create mode 100644 playbooks/sudorule/ensure-sudorule-has-sudooption.yml
create mode 100644 playbooks/sudorule/ensure-sudorule-is-present-with-order.yml
create mode 100644 playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml
create mode 100644 playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml
diff --git a/README-sudorule.md b/README-sudorule.md
index bb3498b..50c73ad 100644
--- a/README-sudorule.md
+++ b/README-sudorule.md
@@ -68,7 +68,7 @@ Example playbook to make sure sudocmds are present in Sudo Rule:
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
- cmd:
+ allow_sudocmd:
- /sbin/ifconfig
action: member
```
@@ -87,7 +87,7 @@ Example playbook to make sure sudocmds are not present in Sudo Rule:
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
- cmd:
+ allow_sudocmd:
- /sbin/ifconfig
action: member
state: absent
@@ -130,8 +130,14 @@ Variable | Description | Required
`hostgroup` | List of host group name strings assigned to this sudorule. | no
`user` | List of user name strings assigned to this sudorule. | no
`group` | List of user group name strings assigned to this sudorule. | no
-`cmd` | List of sudocmd name strings assigned to this sudorule. | no
-`cmdgroup` | List of sudocmd group name strings assigned wto this sudorule. | no
+`allow_sudocmd` | List of sudocmd name strings assigned to the allow group of this sudorule. | no
+`deny_sudocmd` | List of sudocmd name strings assigned to the deny group of this sudorule. | no
+`allow_sudocmdgroup` | List of sudocmd groups name strings assigned to the allow group of this sudorule. | no
+`deny_sudocmdgroup` | List of sudocmd groups name strings assigned to the deny group of this sudorule. | no
+`sudooption` \| `option` | List of options to the sudorule | no
+`order` | Integer to order the sudorule | no
+`runasuser` | List of users for Sudo to execute as. | no
+`runasgroup` | List of groups for Sudo to execute as. | no
`action` | Work on sudorule or member level. It can be on of `member` or `sudorule` and defaults to `sudorule`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no
diff --git a/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml b/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml
new file mode 100644
index 0000000..1307044
--- /dev/null
+++ b/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml
@@ -0,0 +1,14 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure sudooption is absent in sudorule
+ - ipasudorule:
+ ipaadmin_password: MyPassword123
+ name: testrule1
+ sudooption: "!root"
+ action: member
+ state: absent
diff --git a/playbooks/sudorule/ensure-sudorule-has-sudooption.yml b/playbooks/sudorule/ensure-sudorule-has-sudooption.yml
new file mode 100644
index 0000000..1f32b9a
--- /dev/null
+++ b/playbooks/sudorule/ensure-sudorule-has-sudooption.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure sudooption is present in sudorule
+ - ipasudorule:
+ ipaadmin_password: MyPassword123
+ name: testrule1
+ sudooption: "!root"
+ action: member
diff --git a/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml b/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml
new file mode 100644
index 0000000..9a3c2b2
--- /dev/null
+++ b/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml
@@ -0,0 +1,12 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure sudorule is present with the given order.
+ - ipasudorule:
+ ipaadmin_password: MyPassword123
+ name: testrule1
+ order: 2
diff --git a/playbooks/sudorule/ensure-sudorule-is-present.yml b/playbooks/sudorule/ensure-sudorule-is-present.yml
index 5b8f32b..89041af 100644
--- a/playbooks/sudorule/ensure-sudorule-is-present.yml
+++ b/playbooks/sudorule/ensure-sudorule-is-present.yml
@@ -9,4 +9,6 @@
ipaadmin_password: MyPassword123
name: testrule1
description: A test sudo rule.
+ allow_sudocmd: /bin/ls
+ deny_sudocmd: /bin/vim
state: present
diff --git a/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml b/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml
new file mode 100644
index 0000000..56612f1
--- /dev/null
+++ b/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml
@@ -0,0 +1,14 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure sudorule is present with the given order.
+ - ipasudorule:
+ ipaadmin_password: MyPassword123
+ name: testrule1
+ runasuser: admin
+ action: member
+ state: absent
diff --git a/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml b/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml
new file mode 100644
index 0000000..8af49b9
--- /dev/null
+++ b/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure sudorule is present with the given order.
+ - ipasudorule:
+ ipaadmin_password: MyPassword123
+ name: testrule1
+ runasuser: admin
+ action: member
diff --git a/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml b/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml
index 942d0b5..328242a 100644
--- a/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml
+++ b/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml
@@ -8,8 +8,13 @@
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
- cmd:
+ allow_sudocmd:
- /sbin/ifconfig
+ deny_sudocmd:
- /usr/bin/vim
+ allow_sudocmdgroup:
+ - devops
+ deny_sudocmdgroup:
+ - users
action: member
state: absent
diff --git a/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml b/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml
index 61fcbb0..55acd61 100644
--- a/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml
+++ b/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml
@@ -8,7 +8,12 @@
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
- cmd:
+ allow_sudocmd:
- /sbin/ifconfig
+ deny_sudocmd:
- /usr/bin/vim
+ allow_sudocmdgroup:
+ - devops
+ deny_sudocmdgroup:
+ - users
action: member
diff --git a/plugins/modules/ipasudorule.py b/plugins/modules/ipasudorule.py
index c21f247..285a946 100644
--- a/plugins/modules/ipasudorule.py
+++ b/plugins/modules/ipasudorule.py
@@ -79,18 +79,43 @@
description: Host category the sudo rule applies to.
required: false
choices: ["all"]
- cmd:
- description: List of sudocmds assigned to this sudorule.
+ allow_sudocmd:
+ description: List of allowed sudocmds assigned to this sudorule.
required: false
type: list
- cmdgroup:
- description: List of sudocmd groups assigned to this sudorule.
+ allow_sudocmdgroup:
+ description: List of allowed sudocmd groups assigned to this sudorule.
+ required: false
+ type: list
+ deny_sudocmd:
+ description: List of denied sudocmds assigned to this sudorule.
+ required: false
+ type: list
+ deny_sudocmdgroup:
+ description: List of denied sudocmd groups assigned to this sudorule.
required: false
type: list
cmdcategory:
- description: Cammand category the sudo rule applies to
+ description: Command category the sudo rule applies to
required: false
choices: ["all"]
+ order:
+ description: Order to apply this rule.
+ required: false
+ type: int
+ sudooption:
+ description:
+ required: false
+ type: list
+ aliases: ["options"]
+ runasuser:
+ description: List of users for Sudo to execute as.
+ required: false
+ type: list
+ runasgroup:
+ description: List of groups for Sudo to execute as.
+ required: false
+ type: list
action:
description: Work on sudorule or member level
default: sudorule
@@ -111,13 +136,13 @@
# Ensure sudocmd is present in Sudo Rule
- ipasudorule:
- ipaadmin_password: pass1234
- name: testrule1
- cmd:
- - /sbin/ifconfig
- - /usr/bin/vim
- action: member
- state: absent
+ ipaadmin_password: pass1234
+ name: testrule1
+ allow_sudocmd:
+ - /sbin/ifconfig
+ - /usr/bin/vim
+ action: member
+ state: absent
# Ensure host server is present in Sudo Rule
- ipasudorule:
@@ -160,7 +185,7 @@
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
temp_kdestroy, valid_creds, api_connect, api_command, compare_args_ipa, \
- module_params_get
+ module_params_get, gen_add_del_lists
def find_sudorule(module, name):
@@ -180,14 +205,26 @@ def find_sudorule(module, name):
return None
-def gen_args(ansible_module):
- arglist = ['description', 'usercategory', 'hostcategory', 'cmdcategory',
- 'runasusercategory', 'runasgroupcategory', 'nomembers']
+def gen_args(description, usercat, hostcat, cmdcat, runasusercat,
+ runasgroupcat, order, nomembers):
_args = {}
- for arg in arglist:
- value = module_params_get(ansible_module, arg)
- if value is not None:
- _args[arg] = value
+
+ if description is not None:
+ _args['description'] = description
+ if usercat is not None:
+ _args['usercategory'] = usercat
+ if hostcat is not None:
+ _args['hostcategory'] = hostcat
+ if cmdcat is not None:
+ _args['cmdcategory'] = cmdcat
+ if runasusercat is not None:
+ _args['ipasudorunasusercategory'] = runasusercat
+ if runasgroupcat is not None:
+ _args['ipasudorunasgroupcategory'] = runasgroupcat
+ if order is not None:
+ _args['sudoorder'] = order
+ if nomembers is not None:
+ _args['nomembers'] = nomembers
return _args
@@ -212,13 +249,21 @@ def main():
hostgroup=dict(required=False, type='list', default=None),
user=dict(required=False, type='list', default=None),
group=dict(required=False, type='list', default=None),
- cmd=dict(required=False, type="list", default=None),
+ allow_sudocmd=dict(required=False, type="list", default=None),
+ deny_sudocmd=dict(required=False, type="list", default=None),
+ allow_sudocmdgroup=dict(required=False, type="list", default=None),
+ deny_sudocmdgroup=dict(required=False, type="list", default=None),
cmdcategory=dict(required=False, type="str", default=None,
choices=["all"]),
runasusercategory=dict(required=False, type="str", default=None,
choices=["all"]),
runasgroupcategory=dict(required=False, type="str", default=None,
choices=["all"]),
+ runasuser=dict(required=False, type="list", default=None),
+ runasgroup=dict(required=False, type="list", default=None),
+ order=dict(type="int", required=False, aliases=['sudoorder']),
+ sudooption=dict(required=False, type='list', default=None,
+ aliases=["options"]),
action=dict(type="str", default="sudorule",
choices=["member", "sudorule"]),
# state
@@ -256,8 +301,16 @@ def main():
hostgroup = module_params_get(ansible_module, "hostgroup")
user = module_params_get(ansible_module, "user")
group = module_params_get(ansible_module, "group")
- cmd = module_params_get(ansible_module, 'cmd')
- cmdgroup = module_params_get(ansible_module, 'cmdgroup')
+ allow_sudocmd = module_params_get(ansible_module, 'allow_sudocmd')
+ allow_sudocmdgroup = module_params_get(ansible_module,
+ 'allow_sudocmdgroup')
+ deny_sudocmd = module_params_get(ansible_module, 'deny_sudocmd')
+ deny_sudocmdgroup = module_params_get(ansible_module,
+ 'deny_sudocmdgroup')
+ sudooption = module_params_get(ansible_module, "sudooption")
+ order = module_params_get(ansible_module, "order")
+ runasuser = module_params_get(ansible_module, "runasuser")
+ runasgroup = module_params_get(ansible_module, "runasgroup")
action = module_params_get(ansible_module, "action")
# state
@@ -272,28 +325,30 @@ def main():
if action == "member":
invalid = ["description", "usercategory", "hostcategory",
"cmdcategory", "runasusercategory",
- "runasgroupcategory", "nomembers"]
+ "runasgroupcategory", "order", "nomembers"]
- for x in invalid:
- if x in vars() and vars()[x] is not None:
+ for arg in invalid:
+ if arg in vars() and vars()[arg] is not None:
ansible_module.fail_json(
msg="Argument '%s' can not be used with action "
- "'%s'" % (x, action))
+ "'%s'" % (arg, action))
elif state == "absent":
if len(names) < 1:
ansible_module.fail_json(msg="No name given.")
invalid = ["description", "usercategory", "hostcategory",
"cmdcategory", "runasusercategory",
- "runasgroupcategory", "nomembers"]
+ "runasgroupcategory", "nomembers", "order"]
if action == "sudorule":
invalid.extend(["host", "hostgroup", "user", "group",
- "cmd", "cmdgroup"])
- for x in invalid:
- if vars()[x] is not None:
+ "runasuser", "runasgroup", "allow_sudocmd",
+ "allow_sudocmdgroup", "deny_sudocmd",
+ "deny_sudocmdgroup", "sudooption"])
+ for arg in invalid:
+ if vars()[arg] is not None:
ansible_module.fail_json(
msg="Argument '%s' can not be used with state '%s'" %
- (x, state))
+ (arg, state))
elif state in ["enabled", "disabled"]:
if len(names) < 1:
@@ -305,12 +360,14 @@ def main():
invalid = ["description", "usercategory", "hostcategory",
"cmdcategory", "runasusercategory", "runasgroupcategory",
"nomembers", "nomembers", "host", "hostgroup",
- "user", "group", "cmd", "cmdgroup"]
- for x in invalid:
- if vars()[x] is not None:
+ "user", "group", "allow_sudocmd", "allow_sudocmdgroup",
+ "deny_sudocmd", "deny_sudocmdgroup", "runasuser",
+ "runasgroup", "order", "sudooption"]
+ for arg in invalid:
+ if vars()[arg] is not None:
ansible_module.fail_json(
msg="Argument '%s' can not be used with state '%s'" %
- (x, state))
+ (arg, state))
else:
ansible_module.fail_json(msg="Invalid state '%s'" % state)
@@ -335,7 +392,9 @@ def main():
# Create command
if state == "present":
# Generate args
- args = gen_args(ansible_module)
+ args = gen_args(description, usercategory, hostcategory,
+ cmdcategory, runasusercategory,
+ runasgroupcategory, order, nomembers)
if action == "sudorule":
# Found the sudorule
if res_find is not None:
@@ -351,44 +410,42 @@ def main():
res_find = {}
# Generate addition and removal lists
- host_add = list(
- set(host or []) -
- set(res_find.get("member_host", [])))
- host_del = list(
- set(res_find.get("member_host", [])) -
- set(host or []))
- hostgroup_add = list(
- set(hostgroup or []) -
- set(res_find.get("member_hostgroup", [])))
- hostgroup_del = list(
- set(res_find.get("member_hostgroup", [])) -
- set(hostgroup or []))
-
- user_add = list(
- set(user or []) -
- set(res_find.get("member_user", [])))
- user_del = list(
- set(res_find.get("member_user", [])) -
- set(user or []))
- group_add = list(
- set(group or []) -
- set(res_find.get("member_group", [])))
- group_del = list(
- set(res_find.get("member_group", [])) -
- set(group or []))
-
- cmd_add = list(
- set(cmd or []) -
- set(res_find.get("member_cmd", [])))
- cmd_del = list(
- set(res_find.get("member_cmd", [])) -
- set(cmd or []))
- cmdgroup_add = list(
- set(cmdgroup or []) -
- set(res_find.get("member_cmdgroup", [])))
- cmdgroup_del = list(
- set(res_find.get("member_cmdgroup", [])) -
- set(cmdgroup or []))
+ host_add, host_del = gen_add_del_lists(
+ host, res_find.get('member_host', []))
+
+ hostgroup_add, hostgroup_del = gen_add_del_lists(
+ hostgroup, res_find.get('member_hostgroup', []))
+
+ user_add, user_del = gen_add_del_lists(
+ user, res_find.get('member_user', []))
+
+ group_add, group_del = gen_add_del_lists(
+ group, res_find.get('member_group', []))
+
+ allow_cmd_add, allow_cmd_del = gen_add_del_lists(
+ allow_sudocmd,
+ res_find.get('memberallowcmd_sudocmd', []))
+
+ allow_cmdgroup_add, allow_cmdgroup_del = gen_add_del_lists(
+ allow_sudocmdgroup,
+ res_find.get('memberallowcmd_sudocmdgroup', []))
+
+ deny_cmd_add, deny_cmd_del = gen_add_del_lists(
+ deny_sudocmd,
+ res_find.get('memberdenycmd_sudocmd', []))
+
+ deny_cmdgroup_add, deny_cmdgroup_del = gen_add_del_lists(
+ deny_sudocmdgroup,
+ res_find.get('memberdenycmd_sudocmdgroup', []))
+
+ sudooption_add, sudooption_del = gen_add_del_lists(
+ sudooption, res_find.get('ipasudoopt', []))
+
+ runasuser_add, runasuser_del = gen_add_del_lists(
+ runasuser, res_find.get('ipasudorunas_user', []))
+
+ runasgroup_add, runasgroup_del = gen_add_del_lists(
+ runasgroup, res_find.get('ipasudorunas_group', []))
# Add hosts and hostgroups
if len(host_add) > 0 or len(hostgroup_add) > 0:
@@ -420,20 +477,59 @@ def main():
"group": group_del,
}])
- # Add commands
- if len(cmd_add) > 0 or len(cmdgroup_add) > 0:
+ # Add commands allowed
+ if len(allow_cmd_add) > 0 or len(allow_cmdgroup_add) > 0:
commands.append([name, "sudorule_add_allow_command",
- {
- "sudocmd": cmd_add,
- "sudocmdgroup": cmdgroup_add,
- }])
-
- if len(cmd_del) > 0 or len(cmdgroup_del) > 0:
+ {"sudocmd": allow_cmd_add,
+ "sudocmdgroup": allow_cmdgroup_add,
+ }])
+
+ if len(allow_cmd_del) > 0 or len(allow_cmdgroup_del) > 0:
+ commands.append([name, "sudorule_remove_allow_command",
+ {"sudocmd": allow_cmd_del,
+ "sudocmdgroup": allow_cmdgroup_del
+ }])
+
+ # Add commands denied
+ if len(deny_cmd_add) > 0 or len(deny_cmdgroup_add) > 0:
commands.append([name, "sudorule_add_deny_command",
- {
- "sudocmd": cmd_del,
- "sudocmdgroup": cmdgroup_del
- }])
+ {"sudocmd": deny_cmd_add,
+ "sudocmdgroup": deny_cmdgroup_add,
+ }])
+
+ if len(deny_cmd_del) > 0 or len(deny_cmdgroup_del) > 0:
+ commands.append([name, "sudorule_remove_deny_command",
+ {"sudocmd": deny_cmd_del,
+ "sudocmdgroup": deny_cmdgroup_del
+ }])
+
+ # Add RunAS Users
+ if len(runasuser_add) > 0:
+ commands.append([name, "sudorule_add_runasuser",
+ {"user": runasuser_add}])
+ # Remove RunAS Users
+ if len(runasuser_del) > 0:
+ commands.append([name, "sudorule_remove_runasuser",
+ {"user": runasuser_del}])
+
+ # Add RunAS Groups
+ if len(runasgroup_add) > 0:
+ commands.append([name, "sudorule_add_runasgroup",
+ {"group": runasgroup_add}])
+ # Remove RunAS Groups
+ if len(runasgroup_del) > 0:
+ commands.append([name, "sudorule_remove_runasgroup",
+ {"group": runasgroup_del}])
+
+ # Add sudo options
+ for sudoopt in sudooption_add:
+ commands.append([name, "sudorule_add_option",
+ {"ipasudoopt": sudoopt}])
+
+ # Remove sudo options
+ for sudoopt in sudooption_del:
+ commands.append([name, "sudorule_remove_option",
+ {"ipasudoopt": sudoopt}])
elif action == "member":
if res_find is None:
@@ -456,11 +552,38 @@ def main():
}])
# Add commands
- if cmd is not None:
+ if allow_sudocmd is not None \
+ or allow_sudocmdgroup is not None:
commands.append([name, "sudorule_add_allow_command",
- {
- "sudocmd": cmd,
- }])
+ {"sudocmd": allow_sudocmd,
+ "sudocmdgroup": allow_sudocmdgroup,
+ }])
+
+ # Add commands
+ if deny_sudocmd is not None \
+ or deny_sudocmdgroup is not None:
+ commands.append([name, "sudorule_add_deny_command",
+ {"sudocmd": deny_sudocmd,
+ "sudocmdgroup": deny_sudocmdgroup,
+ }])
+
+ # Add RunAS Users
+ if runasuser is not None:
+ commands.append([name, "sudorule_add_runasuser",
+ {"user": runasuser}])
+
+ # Add RunAS Groups
+ if runasgroup is not None:
+ commands.append([name, "sudorule_add_runasgroup",
+ {"group": runasgroup}])
+
+ # Add options
+ if sudooption is not None:
+ existing_opts = res_find.get('ipasudoopt', [])
+ for sudoopt in sudooption:
+ if sudoopt not in existing_opts:
+ commands.append([name, "sudorule_add_option",
+ {"ipasudoopt": sudoopt}])
elif state == "absent":
if action == "sudorule":
@@ -487,12 +610,40 @@ def main():
"group": group,
}])
- # Remove commands
- if cmd is not None:
- commands.append([name, "sudorule_add_deny_command",
- {
- "sudocmd": cmd,
- }])
+ # Remove allow commands
+ if allow_sudocmd is not None \
+ or allow_sudocmdgroup is not None:
+ commands.append([name, "sudorule_remove_allow_command",
+ {"sudocmd": allow_sudocmd,
+ "sudocmdgroup": allow_sudocmdgroup
+ }])
+
+ # Remove deny commands
+ if deny_sudocmd is not None \
+ or deny_sudocmdgroup is not None:
+ commands.append([name, "sudorule_remove_deny_command",
+ {"sudocmd": deny_sudocmd,
+ "sudocmdgroup": deny_sudocmdgroup
+ }])
+
+ # Remove RunAS Users
+ if runasuser is not None:
+ commands.append([name, "sudorule_remove_runasuser",
+ {"user": runasuser}])
+
+ # Remove RunAS Groups
+ if runasgroup is not None:
+ commands.append([name, "sudorule_remove_runasgroup",
+ {"group": runasgroup}])
+
+ # Remove options
+ if sudooption is not None:
+ existing_opts = res_find.get('ipasudoopt', [])
+ for sudoopt in sudooption:
+ if sudoopt in existing_opts:
+ commands.append([name,
+ "sudorule_remove_option",
+ {"ipasudoopt": sudoopt}])
elif state == "enabled":
if res_find is None:
@@ -530,9 +681,9 @@ def main():
changed = True
else:
changed = True
- except Exception as e:
+ except Exception as ex:
ansible_module.fail_json(msg="%s: %s: %s" % (command, name,
- str(e)))
+ str(ex)))
# Get all errors
# All "already a member" and "not a member" failures in the
# result are ignored. All others are reported.
@@ -549,8 +700,8 @@ def main():
if len(errors) > 0:
ansible_module.fail_json(msg=", ".join(errors))
- except Exception as e:
- ansible_module.fail_json(msg=str(e))
+ except Exception as ex:
+ ansible_module.fail_json(msg=str(ex))
finally:
temp_kdestroy(ccache_dir, ccache_name)
diff --git a/tests/sudorule/test_sudorule.yml b/tests/sudorule/test_sudorule.yml
index 88ed90a..25090bb 100644
--- a/tests/sudorule/test_sudorule.yml
+++ b/tests/sudorule/test_sudorule.yml
@@ -16,15 +16,22 @@
- name: Ensure some sudocmds are available
ipasudocmd:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name:
- /sbin/ifconfig
- /usr/bin/vim
state: present
+ - name: Ensure sudocmdgroup is available
+ ipasudocmdgroup:
+ ipaadmin_password: MyPassword123
+ name: test_sudorule
+ sudocmd: /usr/bin/vim
+ state: present
+
- name: Ensure sudorules are absent
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name:
- testrule1
- allusers
@@ -34,21 +41,21 @@
- name: Ensure sudorule is present
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: testrule1
register: result
failed_when: not result.changed
- name: Ensure sudorule is present again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: testrule1
register: result
failed_when: result.changed
- name: Ensure sudorule is present, runAsUserCategory.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: testrule1
runAsUserCategory: all
register: result
@@ -56,7 +63,7 @@
- name: Ensure sudorule is present, with usercategory 'all'
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: allusers
usercategory: all
register: result
@@ -64,7 +71,7 @@
- name: Ensure sudorule is present, with usercategory 'all', again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: allusers
usercategory: all
register: result
@@ -72,7 +79,7 @@
- name: Ensure sudorule is present, with hostategory 'all'
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: allhosts
hostcategory: all
register: result
@@ -80,7 +87,7 @@
- name: Ensure sudorule is present, with hostategory 'all', again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: allhosts
hostcategory: all
register: result
@@ -88,13 +95,13 @@
- name: Ensure sudorule is disabled
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: testrule1
state: disabled
- name: Ensure sudorule is disabled, again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: testrule1
state: disabled
register: result
@@ -102,7 +109,7 @@
- name: Ensure sudorule is enabled
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: testrule1
state: enabled
register: result
@@ -110,37 +117,77 @@
- name: Ensure sudorule is enabled, again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: testrule1
state: enabled
register: result
failed_when: result.changed
- - name: Ensure sudorule is present and some sudocmd are a member of it.
+ - name: Ensure sudorule is present and some sudocmd are allowed.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: testrule1
- cmd:
+ allow_sudocmd:
- /sbin/ifconfig
- - /usr/bin/vim
action: member
register: result
failed_when: not result.changed
- - name: Ensure sudorule is present and some sudocmd are a member of it, again.
+ - name: Ensure sudorule is present and some sudocmd are allowed, again.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: testrule1
- cmd:
+ allow_sudocmd:
- /sbin/ifconfig
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure sudorule is present and some sudocmd are denyed.
+ ipasudorule:
+ ipaadmin_password: MyPassword123
+ name: testrule1
+ deny_sudocmd:
+ - /usr/bin/vim
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure sudorule is present and some sudocmd are denyed, again.
+ ipasudorule:
+ ipaadmin_password: MyPassword123
+ name: testrule1
+ deny_sudocmd:
- /usr/bin/vim
action: member
register: result
failed_when: result.changed
+ - name: Ensure sudorule is present and, sudocmds are absent.
+ ipasudorule:
+ ipaadmin_password: MyPassword123
+ name: testrule1
+ allow_sudocmd: /sbin/ifconfig
+ deny_sudocmd: /usr/bin/vim
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure sudorule is present and, sudocmds are absent, again.
+ ipasudorule:
+ ipaadmin_password: MyPassword123
+ name: testrule1
+ allow_sudocmd: /sbin/ifconfig
+ deny_sudocmd: /usr/bin/vim
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
- name: Ensure sudorule is present with cmdcategory 'all'.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: allcommands
cmdcategory: all
register: result
@@ -148,7 +195,7 @@
- name: Ensure sudorule is present with cmdcategory 'all', again.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: allcommands
cmdcategory: all
register: result
@@ -156,7 +203,7 @@
- name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: testrule1
host: "{{ groups.ipaserver[0] }}"
action: member
@@ -165,7 +212,7 @@
- name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule, again.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: testrule1
host: "{{ groups.ipaserver[0] }}"
action: member
@@ -190,25 +237,77 @@
register: result
failed_when: result.changed
- - name: Ensure sudorule sudocmds are absent
+ - name: Ensure sudorule is present, with an allow_sudocmdgroup.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: testrule1
- cmd:
- - /sbin/ifconfig
- - /usr/bin/vim
+ allow_sudocmdgroup: test_sudorule
+ state: present
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure sudorule is present, with an allow_sudocmdgroup, again.
+ ipasudorule:
+ ipaadmin_password: MyPassword123
+ name: testrule1
+ allow_sudocmdgroup: test_sudorule
+ state: present
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure sudorule is present, but allow_sudocmdgroup is absent.
+ ipasudorule:
+ ipaadmin_password: MyPassword123
+ name: testrule1
+ allow_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
failed_when: not result.changed
- - name: Ensure sudorule sudocmds are absent, again
+ - name: Ensure sudorule is present, but allow_sudocmdgroup is absent.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: testrule1
- cmd:
- - /sbin/ifconfig
- - /usr/bin/vim
+ allow_sudocmdgroup: test_sudorule
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure sudorule is present, with an deny_sudocmdgroup.
+ ipasudorule:
+ ipaadmin_password: MyPassword123
+ name: testrule1
+ deny_sudocmdgroup: test_sudorule
+ state: present
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure sudorule is present, with an deny_sudocmdgroup, again.
+ ipasudorule:
+ ipaadmin_password: MyPassword123
+ name: testrule1
+ deny_sudocmdgroup: test_sudorule
+ state: present
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure sudorule is present, but deny_sudocmdgroup is absent.
+ ipasudorule:
+ ipaadmin_password: MyPassword123
+ name: testrule1
+ deny_sudocmdgroup: test_sudorule
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure sudorule is present, but deny_sudocmdgroup is absent, again.
+ ipasudorule:
+ ipaadmin_password: MyPassword123
+ name: testrule1
+ deny_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
@@ -216,7 +315,7 @@
- name: Ensure sudorule is absent
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: testrule1
state: absent
register: result
@@ -224,7 +323,7 @@
- name: Ensure sudorule is absent, again.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: testrule1
state: absent
register: result
@@ -232,7 +331,7 @@
- name: Ensure sudorule allhosts is absent
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: allhosts
state: absent
register: result
@@ -240,7 +339,7 @@
- name: Ensure sudorule allhosts is absent, again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: allhosts
state: absent
register: result
@@ -248,7 +347,7 @@
- name: Ensure sudorule allusers is absent
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: allusers
state: absent
register: result
@@ -256,7 +355,7 @@
- name: Ensure sudorule allusers is absent, again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: allusers
state: absent
register: result
@@ -264,7 +363,7 @@
- name: Ensure sudorule allcommands is absent
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: allcommands
state: absent
register: result
@@ -272,8 +371,29 @@
- name: Ensure sudorule allcommands is absent, again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: MyPassword123
name: allcommands
state: absent
register: result
failed_when: result.changed
+
+ # cleanup
+ - name : Ensure sudocmdgroup is absent
+ ipasudocmdgroup:
+ ipaadmin_password: MyPassword123
+ name: test_sudorule
+ state: absent
+
+ - name: Ensure hostgroup is absent.
+ ipahostgroup:
+ ipaadmin_password: MyPassword123
+ name: cluster
+ state: absent
+
+ - name: Ensure sudocmds are absent
+ ipasudocmd:
+ ipaadmin_password: MyPassword123
+ name:
+ - /sbin/ifconfig
+ - /usr/bin/vim
+ state: absent