diff --git a/.rubocop.yml b/.rubocop.yml index 21617ba..4a63134 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -1,517 +1,511 @@ require: rubocop-rspec AllCops: TargetRubyVersion: 2.2 Include: - ./**/*.rb Exclude: - files/**/* - vendor/**/* - .vendor/**/* - pkg/**/* - spec/fixtures/**/* - Gemfile - Rakefile -Lint/ConditionPosition: +Layout/ConditionPosition: Enabled: true Lint/ElseLayout: Enabled: true Lint/UnreachableCode: Enabled: true Lint/UselessComparison: Enabled: true Lint/EnsureReturn: Enabled: true -Lint/HandleExceptions: +Lint/SuppressedException: Enabled: true Lint/ShadowingOuterLocalVariable: Enabled: true Lint/LiteralInInterpolation: Enabled: true Style/HashSyntax: Enabled: false Style/RedundantReturn: Enabled: true Lint/AmbiguousOperator: Enabled: true Lint/AssignmentInCondition: Enabled: true Layout/SpaceBeforeComment: Enabled: true Style/AndOr: Enabled: true Style/RedundantSelf: Enabled: true # Method length is not necessarily an indicator of code quality Metrics/MethodLength: Enabled: false # Module length is not necessarily an indicator of code quality Metrics/ModuleLength: Enabled: false Style/WhileUntilModifier: Enabled: true Lint/AmbiguousRegexpLiteral: Enabled: true Security/Eval: Enabled: true -Lint/BlockAlignment: +Layout/BlockAlignment: Enabled: true -Lint/DefEndAlignment: +Layout/DefEndAlignment: Enabled: true -Lint/EndAlignment: +Layout/EndAlignment: Enabled: true Lint/DeprecatedClassMethods: Enabled: true Lint/Loop: Enabled: true Lint/ParenthesesAsGroupedExpression: Enabled: true Lint/RescueException: Enabled: true -Lint/StringConversionInInterpolation: +Lint/RedundantStringCoercion: Enabled: true Lint/UnusedBlockArgument: Enabled: true Lint/UnusedMethodArgument: Enabled: true Lint/UselessAccessModifier: Enabled: true Lint/UselessAssignment: Enabled: true Lint/Void: Enabled: true Layout/AccessModifierIndentation: Enabled: true Naming/AccessorMethodName: Enabled: true Style/Alias: Enabled: true -Layout/AlignArray: +Layout/ArrayAlignment: Enabled: true -Layout/AlignHash: +Layout/HashAlignment: Enabled: true -Layout/AlignParameters: +Layout/ParameterAlignment: Enabled: true Metrics/BlockNesting: Enabled: true Style/AsciiComments: Enabled: true Style/Attr: Enabled: true Style/BracesAroundHashParameters: Enabled: true Style/CaseEquality: Enabled: true Layout/CaseIndentation: Enabled: true Style/CharacterLiteral: Enabled: true Naming/ClassAndModuleCamelCase: Enabled: true Style/ClassAndModuleChildren: Enabled: false Style/ClassCheck: Enabled: true # Class length is not necessarily an indicator of code quality Metrics/ClassLength: Enabled: false Style/ClassMethods: Enabled: true Style/ClassVars: Enabled: true Style/WhenThen: Enabled: true Style/WordArray: Enabled: true -Style/UnneededPercentQ: +Style/RedundantPercentQ: Enabled: true Layout/Tab: Enabled: true Layout/SpaceBeforeSemicolon: Enabled: true -Layout/TrailingBlankLines: +Layout/TrailingEmptyLines: Enabled: true Layout/SpaceInsideBlockBraces: Enabled: true Layout/SpaceInsideHashLiteralBraces: Enabled: true Layout/SpaceInsideParens: Enabled: true Layout/LeadingCommentSpace: Enabled: true -Layout/SpaceBeforeFirstArg: - Enabled: true - Layout/SpaceAfterColon: Enabled: true Layout/SpaceAfterComma: Enabled: true Layout/SpaceAfterMethodName: Enabled: true Layout/SpaceAfterNot: Enabled: true Layout/SpaceAfterSemicolon: Enabled: true Layout/SpaceAroundEqualsInParameterDefault: Enabled: true Layout/SpaceAroundOperators: Enabled: true Layout/SpaceBeforeBlockBraces: Enabled: true Layout/SpaceBeforeComma: Enabled: true Style/CollectionMethods: Enabled: true Layout/CommentIndentation: Enabled: true Style/ColonMethodCall: Enabled: true Style/CommentAnnotation: Enabled: true # 'Complexity' is very relative Metrics/CyclomaticComplexity: Enabled: false Naming/ConstantName: Enabled: true Style/Documentation: Enabled: false Style/DefWithParentheses: Enabled: true Style/PreferredHashMethods: Enabled: true Layout/DotPosition: EnforcedStyle: trailing Style/DoubleNegation: Enabled: true Style/EachWithObject: Enabled: true Layout/EmptyLineBetweenDefs: Enabled: true -Layout/IndentArray: +Layout/FirstArrayElementIndentation: Enabled: true -Layout/IndentHash: +Layout/FirstHashElementIndentation: Enabled: true Layout/IndentationConsistency: Enabled: true Layout/IndentationWidth: Enabled: true Layout/EmptyLines: Enabled: true Layout/EmptyLinesAroundAccessModifier: Enabled: true Style/EmptyLiteral: Enabled: true # Configuration parameters: AllowURI, URISchemes. -Metrics/LineLength: +Layout/LineLength: Enabled: false Style/MethodDefParentheses: Enabled: true Style/LineEndConcatenation: Enabled: true Layout/TrailingWhitespace: Enabled: true Style/StringLiterals: Enabled: true Style/TrailingCommaInArguments: Enabled: true Style/TrailingCommaInHashLiteral: Enabled: true Style/TrailingCommaInArrayLiteral: Enabled: true Style/GlobalVars: Enabled: true Style/GuardClause: Enabled: true Style/IfUnlessModifier: Enabled: true Style/MultilineIfThen: Enabled: true Style/NegatedIf: Enabled: true Style/NegatedWhile: Enabled: true Style/Next: Enabled: true Style/SingleLineBlockParams: Enabled: true Style/SingleLineMethods: Enabled: true Style/SpecialGlobalVars: Enabled: true Style/TrivialAccessors: Enabled: true Style/UnlessElse: Enabled: true Style/VariableInterpolation: Enabled: true Naming/VariableName: Enabled: true Style/WhileUntilDo: Enabled: true Style/EvenOdd: Enabled: true Naming/FileName: Enabled: true Style/For: Enabled: true Style/Lambda: Enabled: true Naming/MethodName: Enabled: true Style/MultilineTernaryOperator: Enabled: true Style/NestedTernaryOperator: Enabled: true Style/NilComparison: Enabled: true Style/FormatString: Enabled: true Style/MultilineBlockChain: Enabled: true Style/Semicolon: Enabled: true Style/SignalException: Enabled: true Style/NonNilCheck: Enabled: true Style/Not: Enabled: true Style/NumericLiterals: Enabled: true Style/OneLineConditional: Enabled: true Naming/BinaryOperatorParameterName: Enabled: true Style/ParenthesesAroundCondition: Enabled: true Style/PercentLiteralDelimiters: Enabled: true Style/PerlBackrefs: Enabled: true Naming/PredicateName: Enabled: true Style/RedundantException: Enabled: true Style/SelfAssignment: Enabled: true Style/Proc: Enabled: true Style/RaiseArgs: Enabled: true Style/RedundantBegin: Enabled: true Style/RescueModifier: Enabled: true # based on https://github.com/voxpupuli/modulesync_config/issues/168 Style/RegexpLiteral: EnforcedStyle: percent_r Enabled: true Lint/UnderscorePrefixedVariableName: Enabled: true Metrics/ParameterLists: Enabled: false Lint/RequireParentheses: Enabled: true Layout/SpaceBeforeFirstArg: Enabled: true Style/ModuleFunction: Enabled: true Lint/Debugger: Enabled: true Style/IfWithSemicolon: Enabled: true Style/Encoding: Enabled: true Style/BlockDelimiters: Enabled: true Style/FormatStringToken: Enabled: false Layout/MultilineBlockLayout: Enabled: true # 'Complexity' is very relative Metrics/AbcSize: Enabled: False Metrics/BlockLength: Enabled: False # 'Complexity' is very relative Metrics/PerceivedComplexity: Enabled: False -Lint/UselessAssignment: - Enabled: true - Layout/ClosingParenthesisIndentation: Enabled: false -Metrics/BlockLength: - Enabled: false - # RSpec # We don't use rspec in this way RSpec/DescribeClass: Enabled: False # Example length is not necessarily an indicator of code quality RSpec/ExampleLength: Enabled: False RSpec/NestedGroups: Max: 4 RSpec/MultipleExpectations: Max: 2 + +RSpec/NamedSubject: + Enabled: false diff --git a/Gemfile b/Gemfile index e4bf1a7..015fc4d 100644 --- a/Gemfile +++ b/Gemfile @@ -1,55 +1,56 @@ source ENV['GEM_SOURCE'] || 'https://rubygems.org' def location_for(place, fake_version = nil) if place =~ /^(git[:@][^#]*)#(.*)/ [fake_version, { git: $1, branch: $2, require: false }].compact elsif place =~ /^file:\/\/(.*)/ ['>= 0', { path: File.expand_path($1), require: false }] else [place, { require: false }] end end group :test do gem 'puppetlabs_spec_helper', require: false gem 'rspec-puppet', require: false, git: 'https://github.com/rodjek/rspec-puppet.git' gem 'rspec-puppet-facts', require: false gem 'rspec-puppet-utils', require: false gem 'puppet-lint-absolute_classname-check', require: false gem 'puppet-lint-leading_zero-check', require: false gem 'puppet-lint-trailing_comma-check', require: false gem 'puppet-lint-version_comparison-check', require: false gem 'puppet-lint-classes_and_types_beginning_with_digits-check', require: false gem 'puppet-lint-unquoted_string-check', require: false gem 'puppet-lint-variable_contains_upcase', require: false gem 'metadata-json-lint', require: false gem 'puppet-blacksmith', require: false gem 'voxpupuli-release', require: false, git: 'https://github.com/voxpupuli/voxpupuli-release-gem.git' - gem 'rubocop-rspec', '~> 1.5', require: false if RUBY_VERSION >= '2.2.0' + gem 'rubocop', '~> 0.49.1', require: false + gem 'rubocop-rspec', require: false gem 'json_pure', '<= 2.0.1', require: false if RUBY_VERSION < '2.0.0' gem 'rspec-its', require: false end group :development do gem 'travis', require: false gem 'travis-lint', require: false gem 'guard-rake', require: false end group :system_tests do gem 'beaker', :require => false gem 'beaker-rspec', :require => false gem 'serverspec', :require => false gem 'beaker-puppet_install_helper', require: false end if (facterversion = ENV['FACTER_GEM_VERSION']) gem 'facter', facterversion.to_s, require: false, groups: [:test] else gem 'facter', require: false, groups: [:test] end ENV['PUPPET_VERSION'].nil? ? puppetversion = '~> 4.0' : puppetversion = ENV['PUPPET_VERSION'].to_s gem 'puppet', puppetversion, require: false, groups: [:test] # vim: syntax=ruby diff --git a/manifests/params.pp b/manifests/params.pp index 23f325f..0c42935 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,227 +1,228 @@ #class sudo::params #Set the paramters for the sudo module class sudo::params { $content_base = "${module_name}/" $config_file_mode = '0440' $config_dir_mode = '0550' case $::osfamily { 'Debian': { case $::operatingsystem { 'Ubuntu': { $content = "${content_base}sudoers.ubuntu.erb" } default: { if (versioncmp($::operatingsystemmajrelease, '7') >= 0) or ($::operatingsystemmajrelease =~ /\/sid/) or ($::operatingsystemmajrelease =~ /Kali/) { $content = "${content_base}sudoers.debian.erb" } else { $content = "${content_base}sudoers.olddebian.erb" } } } $package = 'sudo' $package_ldap = 'sudo-ldap' $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $config_file_group = 'root' $config_dir_keepme = false } 'RedHat': { $package = 'sudo' # in redhat sudo package is already compiled for ldap support $package_ldap = $package # rhel 5.0 to 5.4 use sudo 1.6.9 which does not support # includedir, so we have to make sure sudo 1.7 (comes with rhel # 5.5) is installed. $package_ensure = $::operatingsystemrelease ? { /^5.[01234]$/ => 'latest', default => 'present', } $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = $::operatingsystemrelease ? { /^5/ => "${content_base}sudoers.rhel5.erb", /^6/ => "${content_base}sudoers.rhel6.erb", /^7/ => "${content_base}sudoers.rhel7.erb", - default => "${content_base}sudoers.rhel6.erb", + /^8/ => "${content_base}sudoers.rhel8.erb", + default => "${content_base}sudoers.rhel8.erb", } $config_file_group = 'root' $config_dir_keepme = false } 'Suse': { $package = 'sudo' $package_ldap = $package $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.suse.erb" $config_file_group = 'root' $config_dir_keepme = false } 'Solaris': { case $::operatingsystem { 'OmniOS': { $package = 'sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.omnios.erb" $config_file_group = 'root' $config_dir_keepme = false } 'SmartOS': { $package = 'sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/opt/local/etc/sudoers' $config_dir = '/opt/local/etc/sudoers.d' $content = "${content_base}sudoers.smartos.erb" $config_file_group = 'root' $config_dir_keepme = false } default: { case $::kernelrelease { '5.11': { $package = 'pkg://solaris/security/sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.solaris.erb" $config_file_group = 'root' $config_dir_keepme = false } '5.10': { $package = 'TCMsudo' $package_ldap = undef $package_ensure = 'present' $package_source = "http://www.sudo.ws/sudo/dist/packages/Solaris/10/TCMsudo-1.8.9p5-${::hardwareisa}.pkg.gz" $package_admin_file = '/var/sadm/install/admin/puppet' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.solaris.erb" $config_file_group = 'root' $config_dir_keepme = false } default: { fail("Unsupported platform: ${::osfamily}/${::operatingsystem}/${::kernelrelease}") } } } } } 'FreeBSD': { $package = 'security/sudo' $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/usr/local/etc/sudoers' $config_dir = '/usr/local/etc/sudoers.d' $content = "${content_base}sudoers.freebsd.erb" $config_file_group = 'wheel' $config_dir_keepme = true } 'OpenBSD': { if (versioncmp($::kernelversion, '5.8') < 0) { $package = undef } else { $package = 'sudo' } $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.openbsd.erb" $config_file_group = 'wheel' $config_dir_keepme = false } 'AIX': { $package = 'sudo' $package_ldap = undef $package_ensure = 'present' - $package_source = 'http://www.sudo.ws/sudo/dist/packages/AIX/5.3/sudo-1.8.9-6.aix53.lam.rpm' $package_provider_override = 'rpm' + $package_source = 'http://www.sudo.ws/sudo/dist/packages/AIX/5.3/sudo-1.8.27-1.aix53.rpm' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.aix.erb" $config_file_group = 'system' $config_dir_keepme = false } 'Darwin': { $package = undef $package_ldap = undef $package_ensure = 'present' $package_source = '' $package_admin_file = '' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.darwin.erb" $config_file_group = 'wheel' $config_dir_keepme = false } default: { case $::operatingsystem { 'Gentoo': { $package = 'sudo' $package_ldap = $package $package_ensure = 'present' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.gentoo.erb" $config_file_group = 'root' $config_dir_keepme = false } - 'Archlinux': { + /^(Archlinux|Manjarolinux)$/: { $package = 'sudo' $package_ldap = $package $package_ensure = 'present' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = "${content_base}sudoers.archlinux.erb" $config_file_group = 'root' $config_dir_keepme = false } 'Amazon': { $package = 'sudo' $package_ldap = $package $package_ensure = 'present' $config_file = '/etc/sudoers' $config_dir = '/etc/sudoers.d' $content = $::operatingsystemrelease ? { /^5/ => "${content_base}sudoers.rhel5.erb", /^6/ => "${content_base}sudoers.rhel6.erb", default => "${content_base}sudoers.rhel6.erb", } $config_file_group = 'root' $config_dir_keepme = false } default: { fail("Unsupported platform: ${::osfamily}/${::operatingsystem}") } } $package_source = '' $package_admin_file = '' } } } diff --git a/spec/classes/package_aix_spec.rb b/spec/classes/package_aix_spec.rb index 9d464f2..d254428 100644 --- a/spec/classes/package_aix_spec.rb +++ b/spec/classes/package_aix_spec.rb @@ -1,51 +1,51 @@ require 'spec_helper' describe 'sudo::package::aix' do describe 'on supported osfamily: AIX' do let :params do { + :package_provider_override => 'rpm' :package => 'sudo', :package_ensure => 'present', - :package_source => 'http://www.sudo.ws/sudo/dist/packages/AIX/5.3/sudo-1.8.9-6.aix53.lam.rpm' - :package_provider_override => 'rpm' + :package_source => 'http://www.sudo.ws/sudo/dist/packages/AIX/5.3/sudo-1.8.27-1.aix53.rpm' } end let :facts do { :osfamily => 'AIX' } end it do is_expected.to contain_package('sudo').with( 'ensure' => 'present', - 'source' => 'http://www.sudo.ws/sudo/dist/packages/AIX/5.3/sudo-1.8.9-6.aix53.lam.rpm', + 'source' => 'http://www.sudo.ws/sudo/dist/packages/AIX/5.3/sudo-1.8.27-1.aix53.rpm', 'provider' => 'rpm' ) end end let :params do { :package => 'sudo', :package_ensure => 'present', :package_source => undef :package_provider_override => 'yum' } end let :facts do { :osfamily => 'AIX' } end it do is_expected.to contain_package('sudo').with( 'ensure' => 'present', 'source' => undef, 'provider' => 'yum' ) end end end diff --git a/spec/classes/sudo_spec.rb b/spec/classes/sudo_spec.rb index 1d3d49f..e18aa20 100644 --- a/spec/classes/sudo_spec.rb +++ b/spec/classes/sudo_spec.rb @@ -1,242 +1,242 @@ require 'spec_helper' describe 'sudo' do let :default_params do { :enable => true, :package_ensure => 'present', :purge => true, :config_file_replace => true } end [{}, { :package_ensure => 'present', :purge => false, :config_file_replace => false }, { :package_ensure => 'latest', :purge => true, :config_file_replace => false }].each do |param_set| describe "when #{param_set == {} ? 'using default' : 'specifying'} class parameters" do let :param_hash do default_params.merge(param_set) end let :params do param_set end %w[Debian Redhat].each do |osfamily| let :facts do { :operatingsystem => osfamily, :operatingsystemrelease => '7.0', :operatingsystemmajrelease => '7', :osfamily => osfamily, :puppetversion => '3.7.0' } end describe "on supported osfamily: #{osfamily}" do it { is_expected.to contain_class('sudo::params') } it do is_expected.to contain_file('/etc/sudoers').with( 'ensure' => 'present', 'owner' => 'root', 'group' => 'root', 'mode' => '0440', 'replace' => param_hash[:config_file_replace] ) end it do is_expected.to contain_file('/etc/sudoers.d').with( 'ensure' => 'directory', 'owner' => 'root', 'group' => 'root', 'mode' => '0550', 'recurse' => param_hash[:purge], 'purge' => param_hash[:purge] ) end it do is_expected.to contain_class('sudo::package').with( 'package' => 'sudo', 'package_ensure' => param_hash[:package_ensure] ) end end end describe 'on RedHat 5.4' do let :facts do { :osfamily => 'RedHat', :operatingsystemrelease => '5.4', :operatingsystemmajrelease => '5', :puppetversion => '3.7.0' } end it do if params == {} is_expected.to contain_class('sudo::package').with( 'package' => 'sudo', 'package_ensure' => 'latest' ) else is_expected.to contain_class('sudo::package').with( 'package' => 'sudo', 'package_ensure' => param_hash[:package_ensure] ) end end end describe 'on supported osfamily: AIX' do let :facts do { :osfamily => 'AIX', :puppetversion => '3.7.0' } end it { is_expected.to contain_class('sudo::params') } it do is_expected.to contain_file('/etc/sudoers').with( 'ensure' => 'present', 'owner' => 'root', 'group' => 'system', 'mode' => '0440', 'replace' => param_hash[:config_file_replace] ) end it do is_expected.to contain_file('/etc/sudoers.d').with( 'ensure' => 'directory', 'owner' => 'root', 'group' => 'system', 'mode' => '0550', 'recurse' => param_hash[:purge], 'purge' => param_hash[:purge] ) end it do is_expected.to contain_class('sudo::package').with( 'package' => 'sudo', 'package_ensure' => param_hash[:package_ensure], - 'package_source' => 'http://www.sudo.ws/sudo/dist/packages/AIX/5.3/sudo-1.8.9-6.aix53.lam.rpm', + 'package_source' => 'http://www.sudo.ws/sudo/dist/packages/AIX/5.3/sudo-1.8.27-1.aix53.rpm' 'package_provider_override' => param_hash[:package_provider_override] ) end end describe 'on supported osfamily: Solaris 10' do let :facts do { :operatingsystem => 'Solaris', :osfamily => 'Solaris', :kernelrelease => '5.10', :puppetversion => '3.7.0', :hardwareisa => 'i386' } end it { is_expected.to contain_class('sudo::params') } it do is_expected.to contain_file('/etc/sudoers').with( 'ensure' => 'present', 'owner' => 'root', 'group' => 'root', 'mode' => '0440', 'replace' => param_hash[:config_file_replace] ) end it do is_expected.to contain_file('/etc/sudoers.d').with( 'ensure' => 'directory', 'owner' => 'root', 'group' => 'root', 'mode' => '0550', 'recurse' => param_hash[:purge], 'purge' => param_hash[:purge] ) end it do is_expected.to contain_class('sudo::package').with( 'package' => 'TCMsudo', 'package_ensure' => param_hash[:package_ensure], 'package_source' => 'http://www.sudo.ws/sudo/dist/packages/Solaris/10/TCMsudo-1.8.9p5-i386.pkg.gz', 'package_admin_file' => '/var/sadm/install/admin/puppet' ) end context 'when package is set' do let :params do { :package => 'mysudo' } end it do is_expected.to contain_class('sudo::package').with( 'package' => 'mysudo' ) end end end describe 'on supported osfamily: Solaris 11' do let :facts do { :operatingsystem => 'Solaris', :osfamily => 'Solaris', :kernelrelease => '5.11', :puppetversion => '3.7.0' } end it { is_expected.to contain_class('sudo::params') } it do is_expected.to contain_file('/etc/sudoers').with( 'ensure' => 'present', 'owner' => 'root', 'group' => 'root', 'mode' => '0440', 'replace' => param_hash[:config_file_replace] ) end it do is_expected.to contain_file('/etc/sudoers.d').with( 'ensure' => 'directory', 'owner' => 'root', 'group' => 'root', 'mode' => '0550', 'recurse' => param_hash[:purge], 'purge' => param_hash[:purge] ) end it do is_expected.to contain_class('sudo::package').with( 'package' => 'pkg://solaris/security/sudo', 'package_ensure' => param_hash[:package_ensure] ) end end end end end diff --git a/templates/sudoers.rhel8.erb b/templates/sudoers.rhel8.erb new file mode 100644 index 0000000..4489d41 --- /dev/null +++ b/templates/sudoers.rhel8.erb @@ -0,0 +1,135 @@ +# file managed by puppet (unless config_file_replace=false) +# +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +<% if @use_sudoreplay %> +Defaults log_output +Defaults!/usr/bin/sudoreplay !log_output +<% if @sudoreplay_discard %> +<% @sudoreplay_discard.each do |command| -%> +Defaults!<%= command %> !log_output +<% end -%> +<% end -%> +<% end -%> + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/opt/puppetlabs/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir <%= @config_dir %> +<% @extra_include_dirs.each do |include_dir| -%> +#includedir <%= include_dir %> +<% end if @extra_include_dirs -%> diff --git a/templates/users_groups.erb b/templates/users_groups.erb index 513e7db..352fc06 100644 --- a/templates/users_groups.erb +++ b/templates/users_groups.erb @@ -1,9 +1,9 @@ # This file is managed by Puppet. All changes will be reverted # on the next Puppet run. Avoid making changes here. <%# We can prevent excess newlines by using a special "-%" closing tag -%> <% @users.each do |user| -%> <%= user %> ALL=(ALL) ALL <% end -%> <% @groups.each do |group| -%> -%%<%= group %> ALL=(ALL) ALL +%<%= group %> ALL=(ALL) ALL <% end -%>