Skip to content
Snippets Groups Projects
Commit dc0a5585 authored by Rafael Guterres Jeffman's avatar Rafael Guterres Jeffman
Browse files

Add missing attributes to ipasudorule. 

This patch adds the following attributes to ipasudorule:

    - order
    - sudooption
    - runasuser
    - runasgroup

It also fixes behavior of sudocmd assigned to the the sudorule, with the
adittion of the attributes:

    - allow_sudocmds
    - deny_sudocmds
    - allow_sudocmdgroups
    - deny_sudocmdgroups

README-sudorule and tests have been updated to comply with the changes.
parent 6b3cae53
Branches
Tags
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 504 additions and 149 deletions
README-sudorule.md
+ 10
4
View file @ dc0a5585
...@@ -68,7 +68,7 @@ Example playbook to make sure sudocmds are present in Sudo Rule: ...@@ -68,7 +68,7 @@ Example playbook to make sure sudocmds are present in Sudo Rule:
- ipasudorule: - ipasudorule:
ipaadmin_password: MyPassword123 ipaadmin_password: MyPassword123
name: testrule1 name: testrule1
cmd: allow_sudocmd:
- /sbin/ifconfig - /sbin/ifconfig
action: member action: member
``` ```
...@@ -87,7 +87,7 @@ Example playbook to make sure sudocmds are not present in Sudo Rule: ...@@ -87,7 +87,7 @@ Example playbook to make sure sudocmds are not present in Sudo Rule:
- ipasudorule: - ipasudorule:
ipaadmin_password: MyPassword123 ipaadmin_password: MyPassword123
name: testrule1 name: testrule1
cmd: allow_sudocmd:
- /sbin/ifconfig - /sbin/ifconfig
action: member action: member
state: absent state: absent
...@@ -130,8 +130,14 @@ Variable | Description | Required ...@@ -130,8 +130,14 @@ Variable | Description | Required
`hostgroup` | List of host group name strings assigned to this sudorule. | no `hostgroup` | List of host group name strings assigned to this sudorule. | no
`user` | List of user name strings assigned to this sudorule. | no `user` | List of user name strings assigned to this sudorule. | no
`group` | List of user group name strings assigned to this sudorule. | no `group` | List of user group name strings assigned to this sudorule. | no
`cmd` | List of sudocmd name strings assigned to this sudorule. | no `allow_sudocmd` | List of sudocmd name strings assigned to the allow group of this sudorule. | no
`cmdgroup` | List of sudocmd group name strings assigned wto this sudorule. | no `deny_sudocmd` | List of sudocmd name strings assigned to the deny group of this sudorule. | no
`allow_sudocmdgroup` | List of sudocmd groups name strings assigned to the allow group of this sudorule. | no
`deny_sudocmdgroup` | List of sudocmd groups name strings assigned to the deny group of this sudorule. | no
`sudooption` \| `option` | List of options to the sudorule | no
`order` | Integer to order the sudorule | no
`runasuser` | List of users for Sudo to execute as. | no
`runasgroup` | List of groups for Sudo to execute as. | no
`action` | Work on sudorule or member level. It can be on of `member` or `sudorule` and defaults to `sudorule`. | no `action` | Work on sudorule or member level. It can be on of `member` or `sudorule` and defaults to `sudorule`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no `state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no
......
playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml 0 → 100644
+ 14
0
View file @ dc0a5585
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure sudooption is absent in sudorule
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
sudooption: "!root"
action: member
state: absent
playbooks/sudorule/ensure-sudorule-has-sudooption.yml 0 → 100644
+ 13
0
View file @ dc0a5585
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure sudooption is present in sudorule
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
sudooption: "!root"
action: member
playbooks/sudorule/ensure-sudorule-is-present-with-order.yml 0 → 100644
+ 12
0
View file @ dc0a5585
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure sudorule is present with the given order.
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
order: 2
playbooks/sudorule/ensure-sudorule-is-present.yml
+ 2
0
View file @ dc0a5585
...@@ -9,4 +9,6 @@ ...@@ -9,4 +9,6 @@
ipaadmin_password: MyPassword123 ipaadmin_password: MyPassword123
name: testrule1 name: testrule1
description: A test sudo rule. description: A test sudo rule.
allow_sudocmd: /bin/ls
deny_sudocmd: /bin/vim
state: present state: present
playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml 0 → 100644
+ 14
0
View file @ dc0a5585
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure sudorule is present with the given order.
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
runasuser: admin
action: member
state: absent
playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml 0 → 100644
+ 13
0
View file @ dc0a5585
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure sudorule is present with the given order.
- ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
runasuser: admin
action: member
playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml
+ 6
1
View file @ dc0a5585
...@@ -8,8 +8,13 @@ ...@@ -8,8 +8,13 @@
- ipasudorule: - ipasudorule:
ipaadmin_password: MyPassword123 ipaadmin_password: MyPassword123
name: testrule1 name: testrule1
cmd: allow_sudocmd:
- /sbin/ifconfig - /sbin/ifconfig
deny_sudocmd:
- /usr/bin/vim - /usr/bin/vim
allow_sudocmdgroup:
- devops
deny_sudocmdgroup:
- users
action: member action: member
state: absent state: absent
playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml
+ 6
1
View file @ dc0a5585
...@@ -8,7 +8,12 @@ ...@@ -8,7 +8,12 @@
- ipasudorule: - ipasudorule:
ipaadmin_password: MyPassword123 ipaadmin_password: MyPassword123
name: testrule1 name: testrule1
cmd: allow_sudocmd:
- /sbin/ifconfig - /sbin/ifconfig
deny_sudocmd:
- /usr/bin/vim - /usr/bin/vim
allow_sudocmdgroup:
- devops
deny_sudocmdgroup:
- users
action: member action: member
plugins/modules/ipasudorule.py
+ 252
101
View file @ dc0a5585
...@@ -79,18 +79,43 @@ options: ...@@ -79,18 +79,43 @@ options:
description: Host category the sudo rule applies to. description: Host category the sudo rule applies to.
required: false required: false
choices: ["all"] choices: ["all"]
cmd: allow_sudocmd:
description: List of sudocmds assigned to this sudorule. description: List of allowed sudocmds assigned to this sudorule.
required: false required: false
type: list type: list
cmdgroup: allow_sudocmdgroup:
description: List of sudocmd groups assigned to this sudorule. description: List of allowed sudocmd groups assigned to this sudorule.
required: false
type: list
deny_sudocmd:
description: List of denied sudocmds assigned to this sudorule.
required: false
type: list
deny_sudocmdgroup:
description: List of denied sudocmd groups assigned to this sudorule.
required: false required: false
type: list type: list
cmdcategory: cmdcategory:
description: Cammand category the sudo rule applies to description: Command category the sudo rule applies to
required: false required: false
choices: ["all"] choices: ["all"]
order:
description: Order to apply this rule.
required: false
type: int
sudooption:
description:
required: false
type: list
aliases: ["options"]
runasuser:
description: List of users for Sudo to execute as.
required: false
type: list
runasgroup:
description: List of groups for Sudo to execute as.
required: false
type: list
action: action:
description: Work on sudorule or member level description: Work on sudorule or member level
default: sudorule default: sudorule
...@@ -113,7 +138,7 @@ EXAMPLES = """ ...@@ -113,7 +138,7 @@ EXAMPLES = """
- ipasudorule: - ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: pass1234
name: testrule1 name: testrule1
cmd: allow_sudocmd:
- /sbin/ifconfig - /sbin/ifconfig
- /usr/bin/vim - /usr/bin/vim
action: member action: member
...@@ -160,7 +185,7 @@ RETURN = """ ...@@ -160,7 +185,7 @@ RETURN = """
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_freeipa_module import temp_kinit, \ from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
temp_kdestroy, valid_creds, api_connect, api_command, compare_args_ipa, \ temp_kdestroy, valid_creds, api_connect, api_command, compare_args_ipa, \
module_params_get module_params_get, gen_add_del_lists
def find_sudorule(module, name): def find_sudorule(module, name):
...@@ -180,14 +205,26 @@ def find_sudorule(module, name): ...@@ -180,14 +205,26 @@ def find_sudorule(module, name):
return None return None
def gen_args(ansible_module): def gen_args(description, usercat, hostcat, cmdcat, runasusercat,
arglist = ['description', 'usercategory', 'hostcategory', 'cmdcategory', runasgroupcat, order, nomembers):
'runasusercategory', 'runasgroupcategory', 'nomembers']
_args = {} _args = {}
for arg in arglist:
value = module_params_get(ansible_module, arg) if description is not None:
if value is not None: _args['description'] = description
_args[arg] = value if usercat is not None:
_args['usercategory'] = usercat
if hostcat is not None:
_args['hostcategory'] = hostcat
if cmdcat is not None:
_args['cmdcategory'] = cmdcat
if runasusercat is not None:
_args['ipasudorunasusercategory'] = runasusercat
if runasgroupcat is not None:
_args['ipasudorunasgroupcategory'] = runasgroupcat
if order is not None:
_args['sudoorder'] = order
if nomembers is not None:
_args['nomembers'] = nomembers
return _args return _args
...@@ -212,13 +249,21 @@ def main(): ...@@ -212,13 +249,21 @@ def main():
hostgroup=dict(required=False, type='list', default=None), hostgroup=dict(required=False, type='list', default=None),
user=dict(required=False, type='list', default=None), user=dict(required=False, type='list', default=None),
group=dict(required=False, type='list', default=None), group=dict(required=False, type='list', default=None),
cmd=dict(required=False, type="list", default=None), allow_sudocmd=dict(required=False, type="list", default=None),
deny_sudocmd=dict(required=False, type="list", default=None),
allow_sudocmdgroup=dict(required=False, type="list", default=None),
deny_sudocmdgroup=dict(required=False, type="list", default=None),
cmdcategory=dict(required=False, type="str", default=None, cmdcategory=dict(required=False, type="str", default=None,
choices=["all"]), choices=["all"]),
runasusercategory=dict(required=False, type="str", default=None, runasusercategory=dict(required=False, type="str", default=None,
choices=["all"]), choices=["all"]),
runasgroupcategory=dict(required=False, type="str", default=None, runasgroupcategory=dict(required=False, type="str", default=None,
choices=["all"]), choices=["all"]),
runasuser=dict(required=False, type="list", default=None),
runasgroup=dict(required=False, type="list", default=None),
order=dict(type="int", required=False, aliases=['sudoorder']),
sudooption=dict(required=False, type='list', default=None,
aliases=["options"]),
action=dict(type="str", default="sudorule", action=dict(type="str", default="sudorule",
choices=["member", "sudorule"]), choices=["member", "sudorule"]),
# state # state
...@@ -256,8 +301,16 @@ def main(): ...@@ -256,8 +301,16 @@ def main():
hostgroup = module_params_get(ansible_module, "hostgroup") hostgroup = module_params_get(ansible_module, "hostgroup")
user = module_params_get(ansible_module, "user") user = module_params_get(ansible_module, "user")
group = module_params_get(ansible_module, "group") group = module_params_get(ansible_module, "group")
cmd = module_params_get(ansible_module, 'cmd') allow_sudocmd = module_params_get(ansible_module, 'allow_sudocmd')
cmdgroup = module_params_get(ansible_module, 'cmdgroup') allow_sudocmdgroup = module_params_get(ansible_module,
'allow_sudocmdgroup')
deny_sudocmd = module_params_get(ansible_module, 'deny_sudocmd')
deny_sudocmdgroup = module_params_get(ansible_module,
'deny_sudocmdgroup')
sudooption = module_params_get(ansible_module, "sudooption")
order = module_params_get(ansible_module, "order")
runasuser = module_params_get(ansible_module, "runasuser")
runasgroup = module_params_get(ansible_module, "runasgroup")
action = module_params_get(ansible_module, "action") action = module_params_get(ansible_module, "action")
# state # state
...@@ -272,28 +325,30 @@ def main(): ...@@ -272,28 +325,30 @@ def main():
if action == "member": if action == "member":
invalid = ["description", "usercategory", "hostcategory", invalid = ["description", "usercategory", "hostcategory",
"cmdcategory", "runasusercategory", "cmdcategory", "runasusercategory",
"runasgroupcategory", "nomembers"] "runasgroupcategory", "order", "nomembers"]
for x in invalid: for arg in invalid:
if x in vars() and vars()[x] is not None: if arg in vars() and vars()[arg] is not None:
ansible_module.fail_json( ansible_module.fail_json(
msg="Argument '%s' can not be used with action " msg="Argument '%s' can not be used with action "
"'%s'" % (x, action)) "'%s'" % (arg, action))
elif state == "absent": elif state == "absent":
if len(names) < 1: if len(names) < 1:
ansible_module.fail_json(msg="No name given.") ansible_module.fail_json(msg="No name given.")
invalid = ["description", "usercategory", "hostcategory", invalid = ["description", "usercategory", "hostcategory",
"cmdcategory", "runasusercategory", "cmdcategory", "runasusercategory",
"runasgroupcategory", "nomembers"] "runasgroupcategory", "nomembers", "order"]
if action == "sudorule": if action == "sudorule":
invalid.extend(["host", "hostgroup", "user", "group", invalid.extend(["host", "hostgroup", "user", "group",
"cmd", "cmdgroup"]) "runasuser", "runasgroup", "allow_sudocmd",
for x in invalid: "allow_sudocmdgroup", "deny_sudocmd",
if vars()[x] is not None: "deny_sudocmdgroup", "sudooption"])
for arg in invalid:
if vars()[arg] is not None:
ansible_module.fail_json( ansible_module.fail_json(
msg="Argument '%s' can not be used with state '%s'" % msg="Argument '%s' can not be used with state '%s'" %
(x, state)) (arg, state))
elif state in ["enabled", "disabled"]: elif state in ["enabled", "disabled"]:
if len(names) < 1: if len(names) < 1:
...@@ -305,12 +360,14 @@ def main(): ...@@ -305,12 +360,14 @@ def main():
invalid = ["description", "usercategory", "hostcategory", invalid = ["description", "usercategory", "hostcategory",
"cmdcategory", "runasusercategory", "runasgroupcategory", "cmdcategory", "runasusercategory", "runasgroupcategory",
"nomembers", "nomembers", "host", "hostgroup", "nomembers", "nomembers", "host", "hostgroup",
"user", "group", "cmd", "cmdgroup"] "user", "group", "allow_sudocmd", "allow_sudocmdgroup",
for x in invalid: "deny_sudocmd", "deny_sudocmdgroup", "runasuser",
if vars()[x] is not None: "runasgroup", "order", "sudooption"]
for arg in invalid:
if vars()[arg] is not None:
ansible_module.fail_json( ansible_module.fail_json(
msg="Argument '%s' can not be used with state '%s'" % msg="Argument '%s' can not be used with state '%s'" %
(x, state)) (arg, state))
else: else:
ansible_module.fail_json(msg="Invalid state '%s'" % state) ansible_module.fail_json(msg="Invalid state '%s'" % state)
...@@ -335,7 +392,9 @@ def main(): ...@@ -335,7 +392,9 @@ def main():
# Create command # Create command
if state == "present": if state == "present":
# Generate args # Generate args
args = gen_args(ansible_module) args = gen_args(description, usercategory, hostcategory,
cmdcategory, runasusercategory,
runasgroupcategory, order, nomembers)
if action == "sudorule": if action == "sudorule":
# Found the sudorule # Found the sudorule
if res_find is not None: if res_find is not None:
...@@ -351,44 +410,42 @@ def main(): ...@@ -351,44 +410,42 @@ def main():
res_find = {} res_find = {}
# Generate addition and removal lists # Generate addition and removal lists
host_add = list( host_add, host_del = gen_add_del_lists(
set(host or []) - host, res_find.get('member_host', []))
set(res_find.get("member_host", [])))
host_del = list( hostgroup_add, hostgroup_del = gen_add_del_lists(
set(res_find.get("member_host", [])) - hostgroup, res_find.get('member_hostgroup', []))
set(host or []))
hostgroup_add = list( user_add, user_del = gen_add_del_lists(
set(hostgroup or []) - user, res_find.get('member_user', []))
set(res_find.get("member_hostgroup", [])))
hostgroup_del = list( group_add, group_del = gen_add_del_lists(
set(res_find.get("member_hostgroup", [])) - group, res_find.get('member_group', []))
set(hostgroup or []))
allow_cmd_add, allow_cmd_del = gen_add_del_lists(
user_add = list( allow_sudocmd,
set(user or []) - res_find.get('memberallowcmd_sudocmd', []))
set(res_find.get("member_user", [])))
user_del = list( allow_cmdgroup_add, allow_cmdgroup_del = gen_add_del_lists(
set(res_find.get("member_user", [])) - allow_sudocmdgroup,
set(user or [])) res_find.get('memberallowcmd_sudocmdgroup', []))
group_add = list(
set(group or []) - deny_cmd_add, deny_cmd_del = gen_add_del_lists(
set(res_find.get("member_group", []))) deny_sudocmd,
group_del = list( res_find.get('memberdenycmd_sudocmd', []))
set(res_find.get("member_group", [])) -
set(group or [])) deny_cmdgroup_add, deny_cmdgroup_del = gen_add_del_lists(
deny_sudocmdgroup,
cmd_add = list( res_find.get('memberdenycmd_sudocmdgroup', []))
set(cmd or []) -
set(res_find.get("member_cmd", []))) sudooption_add, sudooption_del = gen_add_del_lists(
cmd_del = list( sudooption, res_find.get('ipasudoopt', []))
set(res_find.get("member_cmd", [])) -
set(cmd or [])) runasuser_add, runasuser_del = gen_add_del_lists(
cmdgroup_add = list( runasuser, res_find.get('ipasudorunas_user', []))
set(cmdgroup or []) -
set(res_find.get("member_cmdgroup", []))) runasgroup_add, runasgroup_del = gen_add_del_lists(
cmdgroup_del = list( runasgroup, res_find.get('ipasudorunas_group', []))
set(res_find.get("member_cmdgroup", [])) -
set(cmdgroup or []))
# Add hosts and hostgroups # Add hosts and hostgroups
if len(host_add) > 0 or len(hostgroup_add) > 0: if len(host_add) > 0 or len(hostgroup_add) > 0:
...@@ -420,21 +477,60 @@ def main(): ...@@ -420,21 +477,60 @@ def main():
"group": group_del, "group": group_del,
}]) }])
# Add commands # Add commands allowed
if len(cmd_add) > 0 or len(cmdgroup_add) > 0: if len(allow_cmd_add) > 0 or len(allow_cmdgroup_add) > 0:
commands.append([name, "sudorule_add_allow_command", commands.append([name, "sudorule_add_allow_command",
{ {"sudocmd": allow_cmd_add,
"sudocmd": cmd_add, "sudocmdgroup": allow_cmdgroup_add,
"sudocmdgroup": cmdgroup_add,
}]) }])
if len(cmd_del) > 0 or len(cmdgroup_del) > 0: if len(allow_cmd_del) > 0 or len(allow_cmdgroup_del) > 0:
commands.append([name, "sudorule_remove_allow_command",
{"sudocmd": allow_cmd_del,
"sudocmdgroup": allow_cmdgroup_del
}])
# Add commands denied
if len(deny_cmd_add) > 0 or len(deny_cmdgroup_add) > 0:
commands.append([name, "sudorule_add_deny_command", commands.append([name, "sudorule_add_deny_command",
{ {"sudocmd": deny_cmd_add,
"sudocmd": cmd_del, "sudocmdgroup": deny_cmdgroup_add,
"sudocmdgroup": cmdgroup_del
}]) }])
if len(deny_cmd_del) > 0 or len(deny_cmdgroup_del) > 0:
commands.append([name, "sudorule_remove_deny_command",
{"sudocmd": deny_cmd_del,
"sudocmdgroup": deny_cmdgroup_del
}])
# Add RunAS Users
if len(runasuser_add) > 0:
commands.append([name, "sudorule_add_runasuser",
{"user": runasuser_add}])
# Remove RunAS Users
if len(runasuser_del) > 0:
commands.append([name, "sudorule_remove_runasuser",
{"user": runasuser_del}])
# Add RunAS Groups
if len(runasgroup_add) > 0:
commands.append([name, "sudorule_add_runasgroup",
{"group": runasgroup_add}])
# Remove RunAS Groups
if len(runasgroup_del) > 0:
commands.append([name, "sudorule_remove_runasgroup",
{"group": runasgroup_del}])
# Add sudo options
for sudoopt in sudooption_add:
commands.append([name, "sudorule_add_option",
{"ipasudoopt": sudoopt}])
# Remove sudo options
for sudoopt in sudooption_del:
commands.append([name, "sudorule_remove_option",
{"ipasudoopt": sudoopt}])
elif action == "member": elif action == "member":
if res_find is None: if res_find is None:
ansible_module.fail_json(msg="No sudorule '%s'" % name) ansible_module.fail_json(msg="No sudorule '%s'" % name)
...@@ -456,12 +552,39 @@ def main(): ...@@ -456,12 +552,39 @@ def main():
}]) }])
# Add commands # Add commands
if cmd is not None: if allow_sudocmd is not None \
or allow_sudocmdgroup is not None:
commands.append([name, "sudorule_add_allow_command", commands.append([name, "sudorule_add_allow_command",
{ {"sudocmd": allow_sudocmd,
"sudocmd": cmd, "sudocmdgroup": allow_sudocmdgroup,
}])
# Add commands
if deny_sudocmd is not None \
or deny_sudocmdgroup is not None:
commands.append([name, "sudorule_add_deny_command",
{"sudocmd": deny_sudocmd,
"sudocmdgroup": deny_sudocmdgroup,
}]) }])
# Add RunAS Users
if runasuser is not None:
commands.append([name, "sudorule_add_runasuser",
{"user": runasuser}])
# Add RunAS Groups
if runasgroup is not None:
commands.append([name, "sudorule_add_runasgroup",
{"group": runasgroup}])
# Add options
if sudooption is not None:
existing_opts = res_find.get('ipasudoopt', [])
for sudoopt in sudooption:
if sudoopt not in existing_opts:
commands.append([name, "sudorule_add_option",
{"ipasudoopt": sudoopt}])
elif state == "absent": elif state == "absent":
if action == "sudorule": if action == "sudorule":
if res_find is not None: if res_find is not None:
...@@ -487,13 +610,41 @@ def main(): ...@@ -487,13 +610,41 @@ def main():
"group": group, "group": group,
}]) }])
# Remove commands # Remove allow commands
if cmd is not None: if allow_sudocmd is not None \
commands.append([name, "sudorule_add_deny_command", or allow_sudocmdgroup is not None:
{ commands.append([name, "sudorule_remove_allow_command",
"sudocmd": cmd, {"sudocmd": allow_sudocmd,
"sudocmdgroup": allow_sudocmdgroup
}]) }])
# Remove deny commands
if deny_sudocmd is not None \
or deny_sudocmdgroup is not None:
commands.append([name, "sudorule_remove_deny_command",
{"sudocmd": deny_sudocmd,
"sudocmdgroup": deny_sudocmdgroup
}])
# Remove RunAS Users
if runasuser is not None:
commands.append([name, "sudorule_remove_runasuser",
{"user": runasuser}])
# Remove RunAS Groups
if runasgroup is not None:
commands.append([name, "sudorule_remove_runasgroup",
{"group": runasgroup}])
# Remove options
if sudooption is not None:
existing_opts = res_find.get('ipasudoopt', [])
for sudoopt in sudooption:
if sudoopt in existing_opts:
commands.append([name,
"sudorule_remove_option",
{"ipasudoopt": sudoopt}])
elif state == "enabled": elif state == "enabled":
if res_find is None: if res_find is None:
ansible_module.fail_json(msg="No sudorule '%s'" % name) ansible_module.fail_json(msg="No sudorule '%s'" % name)
...@@ -530,9 +681,9 @@ def main(): ...@@ -530,9 +681,9 @@ def main():
changed = True changed = True
else: else:
changed = True changed = True
except Exception as e: except Exception as ex:
ansible_module.fail_json(msg="%s: %s: %s" % (command, name, ansible_module.fail_json(msg="%s: %s: %s" % (command, name,
str(e))) str(ex)))
# Get all errors # Get all errors
# All "already a member" and "not a member" failures in the # All "already a member" and "not a member" failures in the
# result are ignored. All others are reported. # result are ignored. All others are reported.
...@@ -549,8 +700,8 @@ def main(): ...@@ -549,8 +700,8 @@ def main():
if len(errors) > 0: if len(errors) > 0:
ansible_module.fail_json(msg=", ".join(errors)) ansible_module.fail_json(msg=", ".join(errors))
except Exception as e: except Exception as ex:
ansible_module.fail_json(msg=str(e)) ansible_module.fail_json(msg=str(ex))
finally: finally:
temp_kdestroy(ccache_dir, ccache_name) temp_kdestroy(ccache_dir, ccache_name)
......
tests/sudorule/test_sudorule.yml
+ 162
42
View file @ dc0a5585
...@@ -16,15 +16,22 @@ ...@@ -16,15 +16,22 @@
- name: Ensure some sudocmds are available - name: Ensure some sudocmds are available
ipasudocmd: ipasudocmd:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: name:
- /sbin/ifconfig - /sbin/ifconfig
- /usr/bin/vim - /usr/bin/vim
state: present state: present
- name: Ensure sudocmdgroup is available
ipasudocmdgroup:
ipaadmin_password: MyPassword123
name: test_sudorule
sudocmd: /usr/bin/vim
state: present
- name: Ensure sudorules are absent - name: Ensure sudorules are absent
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: name:
- testrule1 - testrule1
- allusers - allusers
...@@ -34,21 +41,21 @@ ...@@ -34,21 +41,21 @@
- name: Ensure sudorule is present - name: Ensure sudorule is present
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: testrule1 name: testrule1
register: result register: result
failed_when: not result.changed failed_when: not result.changed
- name: Ensure sudorule is present again - name: Ensure sudorule is present again
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: testrule1 name: testrule1
register: result register: result
failed_when: result.changed failed_when: result.changed
- name: Ensure sudorule is present, runAsUserCategory. - name: Ensure sudorule is present, runAsUserCategory.
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: testrule1 name: testrule1
runAsUserCategory: all runAsUserCategory: all
register: result register: result
...@@ -56,7 +63,7 @@ ...@@ -56,7 +63,7 @@
- name: Ensure sudorule is present, with usercategory 'all' - name: Ensure sudorule is present, with usercategory 'all'
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: allusers name: allusers
usercategory: all usercategory: all
register: result register: result
...@@ -64,7 +71,7 @@ ...@@ -64,7 +71,7 @@
- name: Ensure sudorule is present, with usercategory 'all', again - name: Ensure sudorule is present, with usercategory 'all', again
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: allusers name: allusers
usercategory: all usercategory: all
register: result register: result
...@@ -72,7 +79,7 @@ ...@@ -72,7 +79,7 @@
- name: Ensure sudorule is present, with hostategory 'all' - name: Ensure sudorule is present, with hostategory 'all'
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: allhosts name: allhosts
hostcategory: all hostcategory: all
register: result register: result
...@@ -80,7 +87,7 @@ ...@@ -80,7 +87,7 @@
- name: Ensure sudorule is present, with hostategory 'all', again - name: Ensure sudorule is present, with hostategory 'all', again
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: allhosts name: allhosts
hostcategory: all hostcategory: all
register: result register: result
...@@ -88,13 +95,13 @@ ...@@ -88,13 +95,13 @@
- name: Ensure sudorule is disabled - name: Ensure sudorule is disabled
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: testrule1 name: testrule1
state: disabled state: disabled
- name: Ensure sudorule is disabled, again - name: Ensure sudorule is disabled, again
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: testrule1 name: testrule1
state: disabled state: disabled
register: result register: result
...@@ -102,7 +109,7 @@ ...@@ -102,7 +109,7 @@
- name: Ensure sudorule is enabled - name: Ensure sudorule is enabled
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: testrule1 name: testrule1
state: enabled state: enabled
register: result register: result
...@@ -110,37 +117,77 @@ ...@@ -110,37 +117,77 @@
- name: Ensure sudorule is enabled, again - name: Ensure sudorule is enabled, again
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: testrule1 name: testrule1
state: enabled state: enabled
register: result register: result
failed_when: result.changed failed_when: result.changed
- name: Ensure sudorule is present and some sudocmd are a member of it. - name: Ensure sudorule is present and some sudocmd are allowed.
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: testrule1 name: testrule1
cmd: allow_sudocmd:
- /sbin/ifconfig - /sbin/ifconfig
- /usr/bin/vim
action: member action: member
register: result register: result
failed_when: not result.changed failed_when: not result.changed
- name: Ensure sudorule is present and some sudocmd are a member of it, again. - name: Ensure sudorule is present and some sudocmd are allowed, again.
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: testrule1 name: testrule1
cmd: allow_sudocmd:
- /sbin/ifconfig - /sbin/ifconfig
action: member
register: result
failed_when: result.changed
- name: Ensure sudorule is present and some sudocmd are denyed.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmd:
- /usr/bin/vim
action: member
register: result
failed_when: not result.changed
- name: Ensure sudorule is present and some sudocmd are denyed, again.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmd:
- /usr/bin/vim - /usr/bin/vim
action: member action: member
register: result register: result
failed_when: result.changed failed_when: result.changed
- name: Ensure sudorule is present and, sudocmds are absent.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
allow_sudocmd: /sbin/ifconfig
deny_sudocmd: /usr/bin/vim
action: member
state: absent
register: result
failed_when: not result.changed
- name: Ensure sudorule is present and, sudocmds are absent, again.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
allow_sudocmd: /sbin/ifconfig
deny_sudocmd: /usr/bin/vim
action: member
state: absent
register: result
failed_when: result.changed
- name: Ensure sudorule is present with cmdcategory 'all'. - name: Ensure sudorule is present with cmdcategory 'all'.
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: allcommands name: allcommands
cmdcategory: all cmdcategory: all
register: result register: result
...@@ -148,7 +195,7 @@ ...@@ -148,7 +195,7 @@
- name: Ensure sudorule is present with cmdcategory 'all', again. - name: Ensure sudorule is present with cmdcategory 'all', again.
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: allcommands name: allcommands
cmdcategory: all cmdcategory: all
register: result register: result
...@@ -156,7 +203,7 @@ ...@@ -156,7 +203,7 @@
- name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule. - name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule.
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: testrule1 name: testrule1
host: "{{ groups.ipaserver[0] }}" host: "{{ groups.ipaserver[0] }}"
action: member action: member
...@@ -165,7 +212,7 @@ ...@@ -165,7 +212,7 @@
- name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule, again. - name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule, again.
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: testrule1 name: testrule1
host: "{{ groups.ipaserver[0] }}" host: "{{ groups.ipaserver[0] }}"
action: member action: member
...@@ -190,25 +237,77 @@ ...@@ -190,25 +237,77 @@
register: result register: result
failed_when: result.changed failed_when: result.changed
- name: Ensure sudorule sudocmds are absent - name: Ensure sudorule is present, with an allow_sudocmdgroup.
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: testrule1 name: testrule1
cmd: allow_sudocmdgroup: test_sudorule
- /sbin/ifconfig state: present
- /usr/bin/vim register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with an allow_sudocmdgroup, again.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
allow_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: result.changed
- name: Ensure sudorule is present, but allow_sudocmdgroup is absent.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
allow_sudocmdgroup: test_sudorule
action: member action: member
state: absent state: absent
register: result register: result
failed_when: not result.changed failed_when: not result.changed
- name: Ensure sudorule sudocmds are absent, again - name: Ensure sudorule is present, but allow_sudocmdgroup is absent.
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: testrule1 name: testrule1
cmd: allow_sudocmdgroup: test_sudorule
- /sbin/ifconfig action: member
- /usr/bin/vim state: absent
register: result
failed_when: result.changed
- name: Ensure sudorule is present, with an deny_sudocmdgroup.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, with an deny_sudocmdgroup, again.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmdgroup: test_sudorule
state: present
register: result
failed_when: result.changed
- name: Ensure sudorule is present, but deny_sudocmdgroup is absent.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
failed_when: not result.changed
- name: Ensure sudorule is present, but deny_sudocmdgroup is absent, again.
ipasudorule:
ipaadmin_password: MyPassword123
name: testrule1
deny_sudocmdgroup: test_sudorule
action: member action: member
state: absent state: absent
register: result register: result
...@@ -216,7 +315,7 @@ ...@@ -216,7 +315,7 @@
- name: Ensure sudorule is absent - name: Ensure sudorule is absent
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: testrule1 name: testrule1
state: absent state: absent
register: result register: result
...@@ -224,7 +323,7 @@ ...@@ -224,7 +323,7 @@
- name: Ensure sudorule is absent, again. - name: Ensure sudorule is absent, again.
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: testrule1 name: testrule1
state: absent state: absent
register: result register: result
...@@ -232,7 +331,7 @@ ...@@ -232,7 +331,7 @@
- name: Ensure sudorule allhosts is absent - name: Ensure sudorule allhosts is absent
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: allhosts name: allhosts
state: absent state: absent
register: result register: result
...@@ -240,7 +339,7 @@ ...@@ -240,7 +339,7 @@
- name: Ensure sudorule allhosts is absent, again - name: Ensure sudorule allhosts is absent, again
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: allhosts name: allhosts
state: absent state: absent
register: result register: result
...@@ -248,7 +347,7 @@ ...@@ -248,7 +347,7 @@
- name: Ensure sudorule allusers is absent - name: Ensure sudorule allusers is absent
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: allusers name: allusers
state: absent state: absent
register: result register: result
...@@ -256,7 +355,7 @@ ...@@ -256,7 +355,7 @@
- name: Ensure sudorule allusers is absent, again - name: Ensure sudorule allusers is absent, again
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: allusers name: allusers
state: absent state: absent
register: result register: result
...@@ -264,7 +363,7 @@ ...@@ -264,7 +363,7 @@
- name: Ensure sudorule allcommands is absent - name: Ensure sudorule allcommands is absent
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: allcommands name: allcommands
state: absent state: absent
register: result register: result
...@@ -272,8 +371,29 @@ ...@@ -272,8 +371,29 @@
- name: Ensure sudorule allcommands is absent, again - name: Ensure sudorule allcommands is absent, again
ipasudorule: ipasudorule:
ipaadmin_password: pass1234 ipaadmin_password: MyPassword123
name: allcommands name: allcommands
state: absent state: absent
register: result register: result
failed_when: result.changed failed_when: result.changed
# cleanup
- name : Ensure sudocmdgroup is absent
ipasudocmdgroup:
ipaadmin_password: MyPassword123
name: test_sudorule
state: absent
- name: Ensure hostgroup is absent.
ipahostgroup:
ipaadmin_password: MyPassword123
name: cluster
state: absent
- name: Ensure sudocmds are absent
ipasudocmd:
ipaadmin_password: MyPassword123
name:
- /sbin/ifconfig
- /usr/bin/vim
state: absent
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment