Skip to content
Snippets Groups Projects
Commit dc0a5585 authored by Rafael Guterres Jeffman's avatar Rafael Guterres Jeffman
Browse files

Add missing attributes to ipasudorule.

This patch adds the following attributes to ipasudorule:

    - order
    - sudooption
    - runasuser
    - runasgroup

It also fixes behavior of sudocmd assigned to the the sudorule, with the
adittion of the attributes:

    - allow_sudocmds
    - deny_sudocmds
    - allow_sudocmdgroups
    - deny_sudocmdgroups

README-sudorule and tests have been updated to comply with the changes.
parent 6b3cae53
Branches
Tags
No related merge requests found
Showing with 504 additions and 149 deletions
......@@ -68,7 +68,7 @@ Example playbook to make sure sudocmds are present in Sudo Rule:
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
cmd:
allow_sudocmd:
- /sbin/ifconfig
action: member
```
......@@ -87,7 +87,7 @@ Example playbook to make sure sudocmds are not present in Sudo Rule:
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
cmd:
allow_sudocmd:
- /sbin/ifconfig
action: member
state: absent
......@@ -130,8 +130,14 @@ Variable | Description | Required
`hostgroup` | List of host group name strings assigned to this sudorule. | no
`user` | List of user name strings assigned to this sudorule. | no
`group` | List of user group name strings assigned to this sudorule. | no
`cmd` | List of sudocmd name strings assigned to this sudorule. | no
`cmdgroup` | List of sudocmd group name strings assigned wto this sudorule. | no
`allow_sudocmd` | List of sudocmd name strings assigned to the allow group of this sudorule. | no
`deny_sudocmd` | List of sudocmd name strings assigned to the deny group of this sudorule. | no
`allow_sudocmdgroup` | List of sudocmd groups name strings assigned to the allow group of this sudorule. | no
`deny_sudocmdgroup` | List of sudocmd groups name strings assigned to the deny group of this sudorule. | no
`sudooption` \| `option` | List of options to the sudorule | no
`order` | Integer to order the sudorule | no
`runasuser` | List of users for Sudo to execute as. | no
`runasgroup` | List of groups for Sudo to execute as. | no
`action` | Work on sudorule or member level. It can be on of `member` or `sudorule` and defaults to `sudorule`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no
......
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure sudooption is absent in sudorule
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
sudooption: "!root"
action: member
state: absent
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure sudooption is present in sudorule
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
sudooption: "!root"
action: member
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure sudorule is present with the given order.
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
order: 2
......@@ -9,4 +9,6 @@
ipaadmin_password: MyPassword123
name: testrule1
description: A test sudo rule.
allow_sudocmd: /bin/ls
deny_sudocmd: /bin/vim
state: present
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure sudorule is present with the given order.
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
runasuser: admin
action: member
state: absent
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure sudorule is present with the given order.
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
runasuser: admin
action: member
......@@ -8,8 +8,13 @@
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
cmd:
allow_sudocmd:
- /sbin/ifconfig
deny_sudocmd:
- /usr/bin/vim
allow_sudocmdgroup:
- devops
deny_sudocmdgroup:
- users
action: member
state: absent
......@@ -8,7 +8,12 @@
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
cmd:
allow_sudocmd:
- /sbin/ifconfig
deny_sudocmd:
- /usr/bin/vim
allow_sudocmdgroup:
- devops
deny_sudocmdgroup:
- users
action: member
This diff is collapsed.
......@@ -16,15 +16,22 @@
- name: Ensure some sudocmds are available
ipasudocmd:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name:
- /sbin/ifconfig
- /usr/bin/vim
state: present
- name: Ensure sudocmdgroup is available
ipasudocmdgroup:
ipaadmin_password: MyPassword123
name: test_sudorule
sudocmd: /usr/bin/vim
state: present
- name: Ensure sudorules are absent
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name:
- testrule1
- allusers
......@@ -34,21 +41,21 @@
- name: Ensure sudorule is present
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
register: result
failed_when: not result.changed
- name: Ensure sudorule is present again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
register: result
failed_when: result.changed
- name: Ensure sudorule is present, runAsUserCategory.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
runAsUserCategory: all
register: result
......@@ -56,7 +63,7 @@
- name: Ensure sudorule is present, with usercategory 'all'
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allusers
usercategory: all
register: result
......@@ -64,7 +71,7 @@
- name: Ensure sudorule is present, with usercategory 'all', again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allusers
usercategory: all
register: result
......@@ -72,7 +79,7 @@
- name: Ensure sudorule is present, with hostategory 'all'
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allhosts
hostcategory: all
register: result
......@@ -80,7 +87,7 @@
- name: Ensure sudorule is present, with hostategory 'all', again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allhosts
hostcategory: all
register: result
......@@ -88,13 +95,13 @@
- name: Ensure sudorule is disabled
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
state: disabled
- name: Ensure sudorule is disabled, again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
state: disabled
register: result
......@@ -102,7 +109,7 @@
- name: Ensure sudorule is enabled
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
state: enabled
register: result
......@@ -110,37 +117,77 @@
- name: Ensure sudorule is enabled, again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
state: enabled
register: result
failed_when: result.changed
- name: Ensure sudorule is present and some sudocmd are a member of it.
- name: Ensure sudorule is present and some sudocmd are allowed.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
cmd:
allow_sudocmd:
- /sbin/ifconfig
- /usr/bin/vim
action: member
register: result
failed_when: not result.changed
- name: Ensure sudorule is present and some sudocmd are a member of it, again.
- name: Ensure sudorule is present and some sudocmd are allowed, again.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
cmd:
allow_sudocmd:
- /sbin/ifconfig
action: member
register: result
failed_when: result.changed
- name: Ensure sudorule is present and some sudocmd are denyed.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmd:
- /usr/bin/vim
action: member
register: result
failed_when: not result.changed
- name: Ensure sudorule is present and some sudocmd are denyed, again.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmd:
- /usr/bin/vim
action: member
register: result
failed_when: result.changed
- name: Ensure sudorule is present and, sudocmds are absent.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
allow_sudocmd: /sbin/ifconfig
deny_sudocmd: /usr/bin/vim
action: member
state: absent
register: result
failed_when: not result.changed
- name: Ensure sudorule is present and, sudocmds are absent, again.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
allow_sudocmd: /sbin/ifconfig
deny_sudocmd: /usr/bin/vim
action: member
state: absent
register: result
failed_when: result.changed
- name: Ensure sudorule is present with cmdcategory 'all'.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allcommands
cmdcategory: all
register: result
......@@ -148,7 +195,7 @@
- name: Ensure sudorule is present with cmdcategory 'all', again.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allcommands
cmdcategory: all
register: result
......@@ -156,7 +203,7 @@
- name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
host: "{{ groups.ipaserver[0] }}"
action: member
......@@ -165,7 +212,7 @@
- name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule, again.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
host: "{{ groups.ipaserver[0] }}"
action: member
......@@ -190,25 +237,77 @@
register: result
failed_when: result.changed
- name: Ensure sudorule sudocmds are absent
- name: Ensure sudorule is present, with an allow_sudocmdgroup.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
cmd:
- /sbin/ifconfig
- /usr/bin/vim
allow_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with an allow_sudocmdgroup, again.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
allow_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: result.changed
- name: Ensure sudorule is present, but allow_sudocmdgroup is absent.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
allow_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
failed_when: not result.changed
- name: Ensure sudorule sudocmds are absent, again
- name: Ensure sudorule is present, but allow_sudocmdgroup is absent.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
cmd:
- /sbin/ifconfig
- /usr/bin/vim
allow_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with an deny_sudocmdgroup.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with an deny_sudocmdgroup, again.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: result.changed
- name: Ensure sudorule is present, but deny_sudocmdgroup is absent.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, but deny_sudocmdgroup is absent, again.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
......@@ -216,7 +315,7 @@
- name: Ensure sudorule is absent
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
state: absent
register: result
......@@ -224,7 +323,7 @@
- name: Ensure sudorule is absent, again.
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: testrule1
state: absent
register: result
......@@ -232,7 +331,7 @@
- name: Ensure sudorule allhosts is absent
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allhosts
state: absent
register: result
......@@ -240,7 +339,7 @@
- name: Ensure sudorule allhosts is absent, again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allhosts
state: absent
register: result
......@@ -248,7 +347,7 @@
- name: Ensure sudorule allusers is absent
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allusers
state: absent
register: result
......@@ -256,7 +355,7 @@
- name: Ensure sudorule allusers is absent, again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allusers
state: absent
register: result
......@@ -264,7 +363,7 @@
- name: Ensure sudorule allcommands is absent
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allcommands
state: absent
register: result
......@@ -272,8 +371,29 @@
- name: Ensure sudorule allcommands is absent, again
ipasudorule:
ipaadmin_password: pass1234
ipaadmin_password: MyPassword123
name: allcommands
state: absent
register: result
failed_when: result.changed
# cleanup
- name : Ensure sudocmdgroup is absent
ipasudocmdgroup:
ipaadmin_password: MyPassword123
name: test_sudorule
state: absent
- name: Ensure hostgroup is absent.
ipahostgroup:
ipaadmin_password: MyPassword123
name: cluster
state: absent
- name: Ensure sudocmds are absent
ipasudocmd:
ipaadmin_password: MyPassword123
name:
- /sbin/ifconfig
- /usr/bin/vim
state: absent
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment