From dc0a5585fb036fbeba2200564e26c478465afeec Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Tue, 31 Dec 2019 11:04:49 -0300 Subject: [PATCH] Add missing attributes to ipasudorule. This patch adds the following attributes to ipasudorule: - order - sudooption - runasuser - runasgroup It also fixes behavior of sudocmd assigned to the the sudorule, with the adittion of the attributes: - allow_sudocmds - deny_sudocmds - allow_sudocmdgroups - deny_sudocmdgroups README-sudorule and tests have been updated to comply with the changes. --- README-sudorule.md | 14 +- ...sure-sudorule-does-not-have-sudooption.yml | 14 + .../ensure-sudorule-has-sudooption.yml | 13 + .../ensure-sudorule-is-present-with-order.yml | 12 + .../sudorule/ensure-sudorule-is-present.yml | 2 + .../ensure-sudorule-runasuser-is-absent.yml | 14 + .../ensure-sudorule-runasuser-is-present.yml | 13 + .../ensure-sudorule-sudocmd-is-absent.yml | 7 +- .../ensure-sudorule-sudocmd-is-present.yml | 7 +- plugins/modules/ipasudorule.py | 353 +++++++++++++----- tests/sudorule/test_sudorule.yml | 204 +++++++--- 11 files changed, 504 insertions(+), 149 deletions(-) create mode 100644 playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml create mode 100644 playbooks/sudorule/ensure-sudorule-has-sudooption.yml create mode 100644 playbooks/sudorule/ensure-sudorule-is-present-with-order.yml create mode 100644 playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml create mode 100644 playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml diff --git a/README-sudorule.md b/README-sudorule.md index bb3498b..50c73ad 100644 --- a/README-sudorule.md +++ b/README-sudorule.md @@ -68,7 +68,7 @@ Example playbook to make sure sudocmds are present in Sudo Rule: - ipasudorule: ipaadmin_password: MyPassword123 name: testrule1 - cmd: + allow_sudocmd: - /sbin/ifconfig action: member ``` @@ -87,7 +87,7 @@ Example playbook to make sure sudocmds are not present in Sudo Rule: - ipasudorule: ipaadmin_password: MyPassword123 name: testrule1 - cmd: + allow_sudocmd: - /sbin/ifconfig action: member state: absent @@ -130,8 +130,14 @@ Variable | Description | Required `hostgroup` | List of host group name strings assigned to this sudorule. | no `user` | List of user name strings assigned to this sudorule. | no `group` | List of user group name strings assigned to this sudorule. | no -`cmd` | List of sudocmd name strings assigned to this sudorule. | no -`cmdgroup` | List of sudocmd group name strings assigned wto this sudorule. | no +`allow_sudocmd` | List of sudocmd name strings assigned to the allow group of this sudorule. | no +`deny_sudocmd` | List of sudocmd name strings assigned to the deny group of this sudorule. | no +`allow_sudocmdgroup` | List of sudocmd groups name strings assigned to the allow group of this sudorule. | no +`deny_sudocmdgroup` | List of sudocmd groups name strings assigned to the deny group of this sudorule. | no +`sudooption` \| `option` | List of options to the sudorule | no +`order` | Integer to order the sudorule | no +`runasuser` | List of users for Sudo to execute as. | no +`runasgroup` | List of groups for Sudo to execute as. | no `action` | Work on sudorule or member level. It can be on of `member` or `sudorule` and defaults to `sudorule`. | no `state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no diff --git a/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml b/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml new file mode 100644 index 0000000..1307044 --- /dev/null +++ b/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml @@ -0,0 +1,14 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure sudooption is absent in sudorule + - ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + sudooption: "!root" + action: member + state: absent diff --git a/playbooks/sudorule/ensure-sudorule-has-sudooption.yml b/playbooks/sudorule/ensure-sudorule-has-sudooption.yml new file mode 100644 index 0000000..1f32b9a --- /dev/null +++ b/playbooks/sudorule/ensure-sudorule-has-sudooption.yml @@ -0,0 +1,13 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure sudooption is present in sudorule + - ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + sudooption: "!root" + action: member diff --git a/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml b/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml new file mode 100644 index 0000000..9a3c2b2 --- /dev/null +++ b/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml @@ -0,0 +1,12 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure sudorule is present with the given order. + - ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + order: 2 diff --git a/playbooks/sudorule/ensure-sudorule-is-present.yml b/playbooks/sudorule/ensure-sudorule-is-present.yml index 5b8f32b..89041af 100644 --- a/playbooks/sudorule/ensure-sudorule-is-present.yml +++ b/playbooks/sudorule/ensure-sudorule-is-present.yml @@ -9,4 +9,6 @@ ipaadmin_password: MyPassword123 name: testrule1 description: A test sudo rule. + allow_sudocmd: /bin/ls + deny_sudocmd: /bin/vim state: present diff --git a/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml b/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml new file mode 100644 index 0000000..56612f1 --- /dev/null +++ b/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml @@ -0,0 +1,14 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure sudorule is present with the given order. + - ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + runasuser: admin + action: member + state: absent diff --git a/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml b/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml new file mode 100644 index 0000000..8af49b9 --- /dev/null +++ b/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml @@ -0,0 +1,13 @@ +--- +- name: Tests + hosts: ipaserver + become: true + gather_facts: false + + tasks: + # Ensure sudorule is present with the given order. + - ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + runasuser: admin + action: member diff --git a/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml b/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml index 942d0b5..328242a 100644 --- a/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml +++ b/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml @@ -8,8 +8,13 @@ - ipasudorule: ipaadmin_password: MyPassword123 name: testrule1 - cmd: + allow_sudocmd: - /sbin/ifconfig + deny_sudocmd: - /usr/bin/vim + allow_sudocmdgroup: + - devops + deny_sudocmdgroup: + - users action: member state: absent diff --git a/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml b/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml index 61fcbb0..55acd61 100644 --- a/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml +++ b/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml @@ -8,7 +8,12 @@ - ipasudorule: ipaadmin_password: MyPassword123 name: testrule1 - cmd: + allow_sudocmd: - /sbin/ifconfig + deny_sudocmd: - /usr/bin/vim + allow_sudocmdgroup: + - devops + deny_sudocmdgroup: + - users action: member diff --git a/plugins/modules/ipasudorule.py b/plugins/modules/ipasudorule.py index c21f247..285a946 100644 --- a/plugins/modules/ipasudorule.py +++ b/plugins/modules/ipasudorule.py @@ -79,18 +79,43 @@ description: Host category the sudo rule applies to. required: false choices: ["all"] - cmd: - description: List of sudocmds assigned to this sudorule. + allow_sudocmd: + description: List of allowed sudocmds assigned to this sudorule. required: false type: list - cmdgroup: - description: List of sudocmd groups assigned to this sudorule. + allow_sudocmdgroup: + description: List of allowed sudocmd groups assigned to this sudorule. + required: false + type: list + deny_sudocmd: + description: List of denied sudocmds assigned to this sudorule. + required: false + type: list + deny_sudocmdgroup: + description: List of denied sudocmd groups assigned to this sudorule. required: false type: list cmdcategory: - description: Cammand category the sudo rule applies to + description: Command category the sudo rule applies to required: false choices: ["all"] + order: + description: Order to apply this rule. + required: false + type: int + sudooption: + description: + required: false + type: list + aliases: ["options"] + runasuser: + description: List of users for Sudo to execute as. + required: false + type: list + runasgroup: + description: List of groups for Sudo to execute as. + required: false + type: list action: description: Work on sudorule or member level default: sudorule @@ -111,13 +136,13 @@ # Ensure sudocmd is present in Sudo Rule - ipasudorule: - ipaadmin_password: pass1234 - name: testrule1 - cmd: - - /sbin/ifconfig - - /usr/bin/vim - action: member - state: absent + ipaadmin_password: pass1234 + name: testrule1 + allow_sudocmd: + - /sbin/ifconfig + - /usr/bin/vim + action: member + state: absent # Ensure host server is present in Sudo Rule - ipasudorule: @@ -160,7 +185,7 @@ from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.ansible_freeipa_module import temp_kinit, \ temp_kdestroy, valid_creds, api_connect, api_command, compare_args_ipa, \ - module_params_get + module_params_get, gen_add_del_lists def find_sudorule(module, name): @@ -180,14 +205,26 @@ def find_sudorule(module, name): return None -def gen_args(ansible_module): - arglist = ['description', 'usercategory', 'hostcategory', 'cmdcategory', - 'runasusercategory', 'runasgroupcategory', 'nomembers'] +def gen_args(description, usercat, hostcat, cmdcat, runasusercat, + runasgroupcat, order, nomembers): _args = {} - for arg in arglist: - value = module_params_get(ansible_module, arg) - if value is not None: - _args[arg] = value + + if description is not None: + _args['description'] = description + if usercat is not None: + _args['usercategory'] = usercat + if hostcat is not None: + _args['hostcategory'] = hostcat + if cmdcat is not None: + _args['cmdcategory'] = cmdcat + if runasusercat is not None: + _args['ipasudorunasusercategory'] = runasusercat + if runasgroupcat is not None: + _args['ipasudorunasgroupcategory'] = runasgroupcat + if order is not None: + _args['sudoorder'] = order + if nomembers is not None: + _args['nomembers'] = nomembers return _args @@ -212,13 +249,21 @@ def main(): hostgroup=dict(required=False, type='list', default=None), user=dict(required=False, type='list', default=None), group=dict(required=False, type='list', default=None), - cmd=dict(required=False, type="list", default=None), + allow_sudocmd=dict(required=False, type="list", default=None), + deny_sudocmd=dict(required=False, type="list", default=None), + allow_sudocmdgroup=dict(required=False, type="list", default=None), + deny_sudocmdgroup=dict(required=False, type="list", default=None), cmdcategory=dict(required=False, type="str", default=None, choices=["all"]), runasusercategory=dict(required=False, type="str", default=None, choices=["all"]), runasgroupcategory=dict(required=False, type="str", default=None, choices=["all"]), + runasuser=dict(required=False, type="list", default=None), + runasgroup=dict(required=False, type="list", default=None), + order=dict(type="int", required=False, aliases=['sudoorder']), + sudooption=dict(required=False, type='list', default=None, + aliases=["options"]), action=dict(type="str", default="sudorule", choices=["member", "sudorule"]), # state @@ -256,8 +301,16 @@ def main(): hostgroup = module_params_get(ansible_module, "hostgroup") user = module_params_get(ansible_module, "user") group = module_params_get(ansible_module, "group") - cmd = module_params_get(ansible_module, 'cmd') - cmdgroup = module_params_get(ansible_module, 'cmdgroup') + allow_sudocmd = module_params_get(ansible_module, 'allow_sudocmd') + allow_sudocmdgroup = module_params_get(ansible_module, + 'allow_sudocmdgroup') + deny_sudocmd = module_params_get(ansible_module, 'deny_sudocmd') + deny_sudocmdgroup = module_params_get(ansible_module, + 'deny_sudocmdgroup') + sudooption = module_params_get(ansible_module, "sudooption") + order = module_params_get(ansible_module, "order") + runasuser = module_params_get(ansible_module, "runasuser") + runasgroup = module_params_get(ansible_module, "runasgroup") action = module_params_get(ansible_module, "action") # state @@ -272,28 +325,30 @@ def main(): if action == "member": invalid = ["description", "usercategory", "hostcategory", "cmdcategory", "runasusercategory", - "runasgroupcategory", "nomembers"] + "runasgroupcategory", "order", "nomembers"] - for x in invalid: - if x in vars() and vars()[x] is not None: + for arg in invalid: + if arg in vars() and vars()[arg] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with action " - "'%s'" % (x, action)) + "'%s'" % (arg, action)) elif state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["description", "usercategory", "hostcategory", "cmdcategory", "runasusercategory", - "runasgroupcategory", "nomembers"] + "runasgroupcategory", "nomembers", "order"] if action == "sudorule": invalid.extend(["host", "hostgroup", "user", "group", - "cmd", "cmdgroup"]) - for x in invalid: - if vars()[x] is not None: + "runasuser", "runasgroup", "allow_sudocmd", + "allow_sudocmdgroup", "deny_sudocmd", + "deny_sudocmdgroup", "sudooption"]) + for arg in invalid: + if vars()[arg] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % - (x, state)) + (arg, state)) elif state in ["enabled", "disabled"]: if len(names) < 1: @@ -305,12 +360,14 @@ def main(): invalid = ["description", "usercategory", "hostcategory", "cmdcategory", "runasusercategory", "runasgroupcategory", "nomembers", "nomembers", "host", "hostgroup", - "user", "group", "cmd", "cmdgroup"] - for x in invalid: - if vars()[x] is not None: + "user", "group", "allow_sudocmd", "allow_sudocmdgroup", + "deny_sudocmd", "deny_sudocmdgroup", "runasuser", + "runasgroup", "order", "sudooption"] + for arg in invalid: + if vars()[arg] is not None: ansible_module.fail_json( msg="Argument '%s' can not be used with state '%s'" % - (x, state)) + (arg, state)) else: ansible_module.fail_json(msg="Invalid state '%s'" % state) @@ -335,7 +392,9 @@ def main(): # Create command if state == "present": # Generate args - args = gen_args(ansible_module) + args = gen_args(description, usercategory, hostcategory, + cmdcategory, runasusercategory, + runasgroupcategory, order, nomembers) if action == "sudorule": # Found the sudorule if res_find is not None: @@ -351,44 +410,42 @@ def main(): res_find = {} # Generate addition and removal lists - host_add = list( - set(host or []) - - set(res_find.get("member_host", []))) - host_del = list( - set(res_find.get("member_host", [])) - - set(host or [])) - hostgroup_add = list( - set(hostgroup or []) - - set(res_find.get("member_hostgroup", []))) - hostgroup_del = list( - set(res_find.get("member_hostgroup", [])) - - set(hostgroup or [])) - - user_add = list( - set(user or []) - - set(res_find.get("member_user", []))) - user_del = list( - set(res_find.get("member_user", [])) - - set(user or [])) - group_add = list( - set(group or []) - - set(res_find.get("member_group", []))) - group_del = list( - set(res_find.get("member_group", [])) - - set(group or [])) - - cmd_add = list( - set(cmd or []) - - set(res_find.get("member_cmd", []))) - cmd_del = list( - set(res_find.get("member_cmd", [])) - - set(cmd or [])) - cmdgroup_add = list( - set(cmdgroup or []) - - set(res_find.get("member_cmdgroup", []))) - cmdgroup_del = list( - set(res_find.get("member_cmdgroup", [])) - - set(cmdgroup or [])) + host_add, host_del = gen_add_del_lists( + host, res_find.get('member_host', [])) + + hostgroup_add, hostgroup_del = gen_add_del_lists( + hostgroup, res_find.get('member_hostgroup', [])) + + user_add, user_del = gen_add_del_lists( + user, res_find.get('member_user', [])) + + group_add, group_del = gen_add_del_lists( + group, res_find.get('member_group', [])) + + allow_cmd_add, allow_cmd_del = gen_add_del_lists( + allow_sudocmd, + res_find.get('memberallowcmd_sudocmd', [])) + + allow_cmdgroup_add, allow_cmdgroup_del = gen_add_del_lists( + allow_sudocmdgroup, + res_find.get('memberallowcmd_sudocmdgroup', [])) + + deny_cmd_add, deny_cmd_del = gen_add_del_lists( + deny_sudocmd, + res_find.get('memberdenycmd_sudocmd', [])) + + deny_cmdgroup_add, deny_cmdgroup_del = gen_add_del_lists( + deny_sudocmdgroup, + res_find.get('memberdenycmd_sudocmdgroup', [])) + + sudooption_add, sudooption_del = gen_add_del_lists( + sudooption, res_find.get('ipasudoopt', [])) + + runasuser_add, runasuser_del = gen_add_del_lists( + runasuser, res_find.get('ipasudorunas_user', [])) + + runasgroup_add, runasgroup_del = gen_add_del_lists( + runasgroup, res_find.get('ipasudorunas_group', [])) # Add hosts and hostgroups if len(host_add) > 0 or len(hostgroup_add) > 0: @@ -420,20 +477,59 @@ def main(): "group": group_del, }]) - # Add commands - if len(cmd_add) > 0 or len(cmdgroup_add) > 0: + # Add commands allowed + if len(allow_cmd_add) > 0 or len(allow_cmdgroup_add) > 0: commands.append([name, "sudorule_add_allow_command", - { - "sudocmd": cmd_add, - "sudocmdgroup": cmdgroup_add, - }]) - - if len(cmd_del) > 0 or len(cmdgroup_del) > 0: + {"sudocmd": allow_cmd_add, + "sudocmdgroup": allow_cmdgroup_add, + }]) + + if len(allow_cmd_del) > 0 or len(allow_cmdgroup_del) > 0: + commands.append([name, "sudorule_remove_allow_command", + {"sudocmd": allow_cmd_del, + "sudocmdgroup": allow_cmdgroup_del + }]) + + # Add commands denied + if len(deny_cmd_add) > 0 or len(deny_cmdgroup_add) > 0: commands.append([name, "sudorule_add_deny_command", - { - "sudocmd": cmd_del, - "sudocmdgroup": cmdgroup_del - }]) + {"sudocmd": deny_cmd_add, + "sudocmdgroup": deny_cmdgroup_add, + }]) + + if len(deny_cmd_del) > 0 or len(deny_cmdgroup_del) > 0: + commands.append([name, "sudorule_remove_deny_command", + {"sudocmd": deny_cmd_del, + "sudocmdgroup": deny_cmdgroup_del + }]) + + # Add RunAS Users + if len(runasuser_add) > 0: + commands.append([name, "sudorule_add_runasuser", + {"user": runasuser_add}]) + # Remove RunAS Users + if len(runasuser_del) > 0: + commands.append([name, "sudorule_remove_runasuser", + {"user": runasuser_del}]) + + # Add RunAS Groups + if len(runasgroup_add) > 0: + commands.append([name, "sudorule_add_runasgroup", + {"group": runasgroup_add}]) + # Remove RunAS Groups + if len(runasgroup_del) > 0: + commands.append([name, "sudorule_remove_runasgroup", + {"group": runasgroup_del}]) + + # Add sudo options + for sudoopt in sudooption_add: + commands.append([name, "sudorule_add_option", + {"ipasudoopt": sudoopt}]) + + # Remove sudo options + for sudoopt in sudooption_del: + commands.append([name, "sudorule_remove_option", + {"ipasudoopt": sudoopt}]) elif action == "member": if res_find is None: @@ -456,11 +552,38 @@ def main(): }]) # Add commands - if cmd is not None: + if allow_sudocmd is not None \ + or allow_sudocmdgroup is not None: commands.append([name, "sudorule_add_allow_command", - { - "sudocmd": cmd, - }]) + {"sudocmd": allow_sudocmd, + "sudocmdgroup": allow_sudocmdgroup, + }]) + + # Add commands + if deny_sudocmd is not None \ + or deny_sudocmdgroup is not None: + commands.append([name, "sudorule_add_deny_command", + {"sudocmd": deny_sudocmd, + "sudocmdgroup": deny_sudocmdgroup, + }]) + + # Add RunAS Users + if runasuser is not None: + commands.append([name, "sudorule_add_runasuser", + {"user": runasuser}]) + + # Add RunAS Groups + if runasgroup is not None: + commands.append([name, "sudorule_add_runasgroup", + {"group": runasgroup}]) + + # Add options + if sudooption is not None: + existing_opts = res_find.get('ipasudoopt', []) + for sudoopt in sudooption: + if sudoopt not in existing_opts: + commands.append([name, "sudorule_add_option", + {"ipasudoopt": sudoopt}]) elif state == "absent": if action == "sudorule": @@ -487,12 +610,40 @@ def main(): "group": group, }]) - # Remove commands - if cmd is not None: - commands.append([name, "sudorule_add_deny_command", - { - "sudocmd": cmd, - }]) + # Remove allow commands + if allow_sudocmd is not None \ + or allow_sudocmdgroup is not None: + commands.append([name, "sudorule_remove_allow_command", + {"sudocmd": allow_sudocmd, + "sudocmdgroup": allow_sudocmdgroup + }]) + + # Remove deny commands + if deny_sudocmd is not None \ + or deny_sudocmdgroup is not None: + commands.append([name, "sudorule_remove_deny_command", + {"sudocmd": deny_sudocmd, + "sudocmdgroup": deny_sudocmdgroup + }]) + + # Remove RunAS Users + if runasuser is not None: + commands.append([name, "sudorule_remove_runasuser", + {"user": runasuser}]) + + # Remove RunAS Groups + if runasgroup is not None: + commands.append([name, "sudorule_remove_runasgroup", + {"group": runasgroup}]) + + # Remove options + if sudooption is not None: + existing_opts = res_find.get('ipasudoopt', []) + for sudoopt in sudooption: + if sudoopt in existing_opts: + commands.append([name, + "sudorule_remove_option", + {"ipasudoopt": sudoopt}]) elif state == "enabled": if res_find is None: @@ -530,9 +681,9 @@ def main(): changed = True else: changed = True - except Exception as e: + except Exception as ex: ansible_module.fail_json(msg="%s: %s: %s" % (command, name, - str(e))) + str(ex))) # Get all errors # All "already a member" and "not a member" failures in the # result are ignored. All others are reported. @@ -549,8 +700,8 @@ def main(): if len(errors) > 0: ansible_module.fail_json(msg=", ".join(errors)) - except Exception as e: - ansible_module.fail_json(msg=str(e)) + except Exception as ex: + ansible_module.fail_json(msg=str(ex)) finally: temp_kdestroy(ccache_dir, ccache_name) diff --git a/tests/sudorule/test_sudorule.yml b/tests/sudorule/test_sudorule.yml index 88ed90a..25090bb 100644 --- a/tests/sudorule/test_sudorule.yml +++ b/tests/sudorule/test_sudorule.yml @@ -16,15 +16,22 @@ - name: Ensure some sudocmds are available ipasudocmd: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: - /sbin/ifconfig - /usr/bin/vim state: present + - name: Ensure sudocmdgroup is available + ipasudocmdgroup: + ipaadmin_password: MyPassword123 + name: test_sudorule + sudocmd: /usr/bin/vim + state: present + - name: Ensure sudorules are absent ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: - testrule1 - allusers @@ -34,21 +41,21 @@ - name: Ensure sudorule is present ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 register: result failed_when: not result.changed - name: Ensure sudorule is present again ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 register: result failed_when: result.changed - name: Ensure sudorule is present, runAsUserCategory. ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 runAsUserCategory: all register: result @@ -56,7 +63,7 @@ - name: Ensure sudorule is present, with usercategory 'all' ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allusers usercategory: all register: result @@ -64,7 +71,7 @@ - name: Ensure sudorule is present, with usercategory 'all', again ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allusers usercategory: all register: result @@ -72,7 +79,7 @@ - name: Ensure sudorule is present, with hostategory 'all' ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allhosts hostcategory: all register: result @@ -80,7 +87,7 @@ - name: Ensure sudorule is present, with hostategory 'all', again ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allhosts hostcategory: all register: result @@ -88,13 +95,13 @@ - name: Ensure sudorule is disabled ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 state: disabled - name: Ensure sudorule is disabled, again ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 state: disabled register: result @@ -102,7 +109,7 @@ - name: Ensure sudorule is enabled ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 state: enabled register: result @@ -110,37 +117,77 @@ - name: Ensure sudorule is enabled, again ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 state: enabled register: result failed_when: result.changed - - name: Ensure sudorule is present and some sudocmd are a member of it. + - name: Ensure sudorule is present and some sudocmd are allowed. ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 - cmd: + allow_sudocmd: - /sbin/ifconfig - - /usr/bin/vim action: member register: result failed_when: not result.changed - - name: Ensure sudorule is present and some sudocmd are a member of it, again. + - name: Ensure sudorule is present and some sudocmd are allowed, again. ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 - cmd: + allow_sudocmd: - /sbin/ifconfig + action: member + register: result + failed_when: result.changed + + - name: Ensure sudorule is present and some sudocmd are denyed. + ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + deny_sudocmd: + - /usr/bin/vim + action: member + register: result + failed_when: not result.changed + + - name: Ensure sudorule is present and some sudocmd are denyed, again. + ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + deny_sudocmd: - /usr/bin/vim action: member register: result failed_when: result.changed + - name: Ensure sudorule is present and, sudocmds are absent. + ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + allow_sudocmd: /sbin/ifconfig + deny_sudocmd: /usr/bin/vim + action: member + state: absent + register: result + failed_when: not result.changed + + - name: Ensure sudorule is present and, sudocmds are absent, again. + ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + allow_sudocmd: /sbin/ifconfig + deny_sudocmd: /usr/bin/vim + action: member + state: absent + register: result + failed_when: result.changed + - name: Ensure sudorule is present with cmdcategory 'all'. ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allcommands cmdcategory: all register: result @@ -148,7 +195,7 @@ - name: Ensure sudorule is present with cmdcategory 'all', again. ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allcommands cmdcategory: all register: result @@ -156,7 +203,7 @@ - name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule. ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 host: "{{ groups.ipaserver[0] }}" action: member @@ -165,7 +212,7 @@ - name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule, again. ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 host: "{{ groups.ipaserver[0] }}" action: member @@ -190,25 +237,77 @@ register: result failed_when: result.changed - - name: Ensure sudorule sudocmds are absent + - name: Ensure sudorule is present, with an allow_sudocmdgroup. ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 - cmd: - - /sbin/ifconfig - - /usr/bin/vim + allow_sudocmdgroup: test_sudorule + state: present + register: result + failed_when: not result.changed + + - name: Ensure sudorule is present, with an allow_sudocmdgroup, again. + ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + allow_sudocmdgroup: test_sudorule + state: present + register: result + failed_when: result.changed + + - name: Ensure sudorule is present, but allow_sudocmdgroup is absent. + ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + allow_sudocmdgroup: test_sudorule action: member state: absent register: result failed_when: not result.changed - - name: Ensure sudorule sudocmds are absent, again + - name: Ensure sudorule is present, but allow_sudocmdgroup is absent. ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 - cmd: - - /sbin/ifconfig - - /usr/bin/vim + allow_sudocmdgroup: test_sudorule + action: member + state: absent + register: result + failed_when: result.changed + + - name: Ensure sudorule is present, with an deny_sudocmdgroup. + ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + deny_sudocmdgroup: test_sudorule + state: present + register: result + failed_when: not result.changed + + - name: Ensure sudorule is present, with an deny_sudocmdgroup, again. + ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + deny_sudocmdgroup: test_sudorule + state: present + register: result + failed_when: result.changed + + - name: Ensure sudorule is present, but deny_sudocmdgroup is absent. + ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + deny_sudocmdgroup: test_sudorule + action: member + state: absent + register: result + failed_when: not result.changed + + - name: Ensure sudorule is present, but deny_sudocmdgroup is absent, again. + ipasudorule: + ipaadmin_password: MyPassword123 + name: testrule1 + deny_sudocmdgroup: test_sudorule action: member state: absent register: result @@ -216,7 +315,7 @@ - name: Ensure sudorule is absent ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 state: absent register: result @@ -224,7 +323,7 @@ - name: Ensure sudorule is absent, again. ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: testrule1 state: absent register: result @@ -232,7 +331,7 @@ - name: Ensure sudorule allhosts is absent ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allhosts state: absent register: result @@ -240,7 +339,7 @@ - name: Ensure sudorule allhosts is absent, again ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allhosts state: absent register: result @@ -248,7 +347,7 @@ - name: Ensure sudorule allusers is absent ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allusers state: absent register: result @@ -256,7 +355,7 @@ - name: Ensure sudorule allusers is absent, again ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allusers state: absent register: result @@ -264,7 +363,7 @@ - name: Ensure sudorule allcommands is absent ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allcommands state: absent register: result @@ -272,8 +371,29 @@ - name: Ensure sudorule allcommands is absent, again ipasudorule: - ipaadmin_password: pass1234 + ipaadmin_password: MyPassword123 name: allcommands state: absent register: result failed_when: result.changed + + # cleanup + - name : Ensure sudocmdgroup is absent + ipasudocmdgroup: + ipaadmin_password: MyPassword123 + name: test_sudorule + state: absent + + - name: Ensure hostgroup is absent. + ipahostgroup: + ipaadmin_password: MyPassword123 + name: cluster + state: absent + + - name: Ensure sudocmds are absent + ipasudocmd: + ipaadmin_password: MyPassword123 + name: + - /sbin/ifconfig + - /usr/bin/vim + state: absent