diff --git a/manifests/conf.pp b/manifests/conf.pp index ab362f1..1e81813 100644 --- a/manifests/conf.pp +++ b/manifests/conf.pp @@ -1,124 +1,141 @@ # Define: sudo::conf # # This module manages sudo configurations # # Parameters: # [*ensure*] # Ensure if present or absent. # Default: present # # [*priority*] # Prefix file name with $priority # Default: 10 # # [*content*] # Content of configuration snippet. # Default: undef # # [*source*] # Source of configuration snippet. # Default: undef # # [*sudo_config_dir*] # Where to place configuration snippets. # Only set this, if your platform is not supported or # you know, what you're doing. # Default: auto-set, platform specific # # Actions: # Installs sudo configuration snippets # # Requires: # Class sudo # # Sample Usage: # sudo::conf { 'admins': # source => 'puppet:///files/etc/sudoers.d/admins', # } # # [Remember: No empty lines between comments and class definition] define sudo::conf( $ensure = present, $priority = 10, $content = undef, $source = undef, $template = undef, $sudo_config_dir = undef, $sudo_file_name = undef, $sudo_syntax_path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' ) { include ::sudo # Hack to allow the user to set the config_dir from the # sudo::config parameter, but default to $sudo::params::config_dir # if it is not provided. $sudo::params isn't included before # the parameters are loaded in. $sudo_config_dir_real = $sudo_config_dir ? { undef => $sudo::config_dir, $sudo_config_dir => $sudo_config_dir } # sudo skip file name that contain a "." $dname = regsubst($name, '\.', '-', 'G') if size("x${priority}") == 2 { $priority_real = "0${priority}" } else { $priority_real = $priority } # build current file name with path if $sudo_file_name != undef { $cur_file = "${sudo_config_dir_real}/${sudo_file_name}" } else { $cur_file = "${sudo_config_dir_real}/${priority_real}_${dname}" } # replace whitespace in file name $cur_file_real = regsubst($cur_file, '\s+', '_', 'G') Class['sudo'] -> Sudo::Conf[$name] if $::osfamily == 'RedHat' { if (versioncmp($::sudoversion, '1.7.2p1') < 0) { warning("Found sudo with version ${::sudoversion}, but at least version 1.7.2p1 is required!") } } if $content != undef { if $content =~ Array { $lines = join($content, "\n") $content_real = "# This file is managed by Puppet; changes may be overwritten\n${lines}\n" } else { $content_real = "# This file is managed by Puppet; changes may be overwritten\n${content}\n" } } elsif $template != undef { $content_real = template($template) } else { $content_real = undef } if $ensure == 'present' { - $notify_real = Exec["sudo-syntax-check for file ${cur_file}"] + if $sudo::validate_single { + $validate_cmd_real = 'visudo -c -f %' + } else { + $validate_cmd_real = undef + } + if $sudo::delete_on_error { + $notify_real = Exec["sudo-syntax-check for file ${cur_file}"] + $delete_cmd = "( rm -f '${cur_file_real}' && exit 1)" + } else { + $notify_real = Exec["sudo-syntax-check for file ${cur_file}"] + $errormsg = "Error on global-syntax-check with file ${cur_file_real}" + $delete_cmd = "( echo '${errormsg}' && echo '#${errormsg}' >>${cur_file_real} && exit 1)" + } } else { + $delete_cmd = '' $notify_real = undef + $validate_cmd_real = undef } file { "${priority_real}_${dname}": - ensure => $ensure, - path => $cur_file_real, - owner => 'root', - group => $sudo::params::config_file_group, - mode => $sudo::params::config_file_mode, - source => $source, - content => $content_real, - notify => $notify_real, + ensure => $ensure, + path => $cur_file_real, + owner => 'root', + group => $sudo::params::config_file_group, + mode => $sudo::params::config_file_mode, + source => $source, + content => $content_real, + notify => $notify_real, + validate_cmd => $validate_cmd_real, } exec {"sudo-syntax-check for file ${cur_file}": - command => "visudo -c -f '${cur_file_real}' || ( rm -f '${cur_file_real}' && exit 1)", + command => "visudo -c || ${delete_cmd}", refreshonly => true, path => $sudo_syntax_path, } + + } diff --git a/manifests/init.pp b/manifests/init.pp index c04bf88..fd60573 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,176 +1,190 @@ # Class: sudo # # This module manages sudo # # Parameters: # [*ensure*] # Ensure if present or absent. # Default: present # # [*package*] # Name of the package. # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # # [*package_ensure*] # Allows you to ensure a particular version of a package # Default: present / lastest for RHEL < 5.5 # # [*package_source*] # Where to find the package. Only set this on AIX (required) and # Solaris (required) or if your platform is not supported or you # know, what you're doing. # # The default for aix is the perzl sudo package. For solaris 10 we # use the official www.sudo.ws binary package. # # Default: AIX: perzl.org # Solaris: www.sudo.ws # # [*package_admin_file*] # Where to find a Solaris 10 package admin file for # an unattended installation. We do not supply a default file, so # this has to be staged separately # # Only set this on Solaris 10 (required) # Default: /var/sadm/install/admin/puppet # # [*purge*] # Whether or not to purge sudoers.d directory # Default: true # # [*purge_ignore*] # Files to exclude from purging in sudoers.d directory # Default: undef # # [*config_file*] # Main configuration file. # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # # [*config_dir*] # Main directory containing sudo snippets, imported via # includedir stanza in sudoers file # Default: auto-set, platform specific # # [*extra_include_dirs*] # Array of additional directories containing sudo snippets # Default: undef # # [*content*] # Alternate content file location # Only set this, if your platform is not supported or you know, # what you're doing. # Default: auto-set, platform specific # # [*ldap_enable*] # Enable ldap support on the package # Default: false # +# [*delete_on_error*] +# True if you want that the configuration is deleted on an error +# during a complete visudo -c run. If false it will just return +# an error and will add a comment to the sudoers configuration so +# that the resource will be checked at the following run. +# Default: true +# +# [*validate_single*] +# Do a validate on the "single" file in the sudoers.d directory. +# If the validate fail the file will not be saved or changed +# if a file already exist. +# Default: false +# # Actions: # Installs sudo package and checks the state of sudoers file and # sudoers.d directory. # # Requires: # Nothing # # Sample Usage: # class { 'sudo': } # # [Remember: No empty lines between comments and class definition] class sudo( Boolean $enable = true, String $package = $sudo::params::package, Optional[String] $package_ldap = $sudo::params::package_ldap, String $package_ensure = $sudo::params::package_ensure, Optional[String] $package_source = $sudo::params::package_source, Optional[String] $package_admin_file = $sudo::params::package_admin_file, Boolean $purge = true, Optional[String] $purge_ignore = undef, String $config_file = $sudo::params::config_file, Boolean $config_file_replace = true, String $config_file_mode = $sudo::params::config_file_mode, String $config_dir = $sudo::params::config_dir, String $config_dir_mode = $sudo::params::config_dir_mode, Optional[Array[String]] $extra_include_dirs = undef, String $content = $sudo::params::content, Boolean $ldap_enable = false, + Boolean $delete_on_error = true, + Boolean $validate_single = false, ) inherits sudo::params { case $enable { true: { $dir_ensure = 'directory' $file_ensure = 'present' } false: { $dir_ensure = 'absent' $file_ensure = 'absent' } default: { fail('no $enable is set') } } case $ldap_enable { true: { if $package_ldap == undef { fail('on your os ldap support for sudo is not yet supported') } $package_real = $package_ldap } false: { $package_real = $package } default: { fail('no $ldap_enable is set') } } - class { '::sudo::package': package => $package_real, package_ensure => $package_ensure, package_source => $package_source, package_admin_file => $package_admin_file, ldap_enable => $ldap_enable, } file { $config_file: ensure => $file_ensure, owner => 'root', group => $sudo::params::config_file_group, mode => $config_file_mode, replace => $config_file_replace, content => template($content), require => Class['sudo::package'], } file { $config_dir: ensure => $dir_ensure, owner => 'root', group => $sudo::params::config_file_group, mode => $config_dir_mode, recurse => $purge, purge => $purge, ignore => $purge_ignore, require => Class['sudo::package'], } # Load the Hiera based sudoer configuration (if enabled and present) # # NOTE: We must use 'include' here to avoid circular dependencies with # sudo::conf # # NOTE: There is no way to detect the existence of hiera. This automatic # functionality is therefore made exclusive to Puppet 3+ (hiera is embedded) # in order to preserve backwards compatibility. # # http://projects.puppetlabs.com/issues/12345 # if (versioncmp($::puppetversion, '3') != -1) { include '::sudo::configs' } anchor { 'sudo::begin': } -> Class['sudo::package'] -> anchor { 'sudo::end': } } diff --git a/spec/defines/sudo_spec.rb b/spec/defines/sudo_spec.rb index a02ed01..ca7aa8c 100644 --- a/spec/defines/sudo_spec.rb +++ b/spec/defines/sudo_spec.rb @@ -1,207 +1,207 @@ require 'spec_helper' describe 'sudo::conf', :type => :define do let(:title) { 'admins' } let(:filename) { '10_admins' } let(:file_path) { '/etc/sudoers.d/10_admins' } let :facts do { lsbdistcodename: 'wheezy', operatingsystemmajrelease: '7', operatingsystem: 'Debian', osfamily: 'Debian', puppetversion: '3.7.0' } end let :params do { priority: 10, content: '%admins ALL=(ALL) NOPASSWD: ALL', sudo_config_dir: '/etc/sudoers.d' } end describe 'when creating a sudo entry' do it do is_expected.to contain_sudo__conf('admins').with( priority: params[:priority], content: params[:content] ) end it do is_expected.to contain_file(filename).with( ensure: 'present', content: "# This file is managed by Puppet; changes may be overwritten\n%admins ALL=(ALL) NOPASSWD: ALL\n", owner: 'root', group: 'root', path: file_path, mode: '0440' ) end it do is_expected.to contain_exec("sudo-syntax-check for file #{params[:sudo_config_dir]}/#{params[:priority]}_#{title}").with( - command: "visudo -c -f '#{params[:sudo_config_dir]}/#{params[:priority]}_#{title}' || ( rm -f '#{params[:sudo_config_dir]}/#{params[:priority]}_#{title}' && exit 1)", + command: "visudo -c || ( rm -f '#{params[:sudo_config_dir]}/#{params[:priority]}_#{title}' && exit 1)", refreshonly: 'true' ) end it { is_expected.to contain_file(filename).that_notifies("Exec[sudo-syntax-check for file #{params[:sudo_config_dir]}/#{params[:priority]}_#{title}]") } it { is_expected.not_to contain_file(filename).that_requires("Exec[sudo-syntax-check for file #{params[:sudo_config_dir]}/#{params[:priority]}_#{title}]") } end describe 'when creating a sudo entry with single number priority' do let(:filename) { '05_admins' } let(:file_path) { '/etc/sudoers.d/05_admins' } let :params do { priority: 5, content: '%admins ALL=(ALL) NOPASSWD: ALL', sudo_config_dir: '/etc/sudoers.d' } end it do is_expected.to contain_sudo__conf('admins').with( priority: params[:priority], content: params[:content] ) end it do is_expected.to contain_file(filename).with( ensure: 'present', content: "# This file is managed by Puppet; changes may be overwritten\n%admins ALL=(ALL) NOPASSWD: ALL\n", owner: 'root', group: 'root', path: file_path, mode: '0440' ) end it do is_expected.to contain_exec("sudo-syntax-check for file #{params[:sudo_config_dir]}/0#{params[:priority]}_#{title}").with( - command: "visudo -c -f '#{params[:sudo_config_dir]}/0#{params[:priority]}_#{title}' || ( rm -f '#{params[:sudo_config_dir]}/0#{params[:priority]}_#{title}' && exit 1)", + command: "visudo -c || ( rm -f '#{params[:sudo_config_dir]}/0#{params[:priority]}_#{title}' && exit 1)", refreshonly: 'true' ) end it { is_expected.to contain_file(filename).that_notifies("Exec[sudo-syntax-check for file #{params[:sudo_config_dir]}/0#{params[:priority]}_#{title}]") } it { is_expected.not_to contain_file(filename).that_requires("Exec[sudo-syntax-check for file #{params[:sudo_config_dir]}/0#{params[:priority]}_#{title}]") } end describe 'when creating a sudo entry with whitespace in name' do let(:title) { 'admins hq' } let(:filename) { '05_admins hq' } let(:file_path) { '/etc/sudoers.d/05_admins_hq' } let :params do { priority: 5, content: '%admins_hq ALL=(ALL) NOPASSWD: ALL', sudo_config_dir: '/etc/sudoers.d' } end it do is_expected.to contain_sudo__conf('admins hq').with(:priority => params[:priority], :content => params[:content]) end it do is_expected.to contain_file(filename).with( ensure: 'present', content: "# This file is managed by Puppet; changes may be overwritten\n%admins_hq ALL=(ALL) NOPASSWD: ALL\n", owner: 'root', group: 'root', path: file_path, mode: '0440' ) end it do is_expected.to contain_exec("sudo-syntax-check for file #{params[:sudo_config_dir]}/0#{params[:priority]}_#{title}").with( - command: "visudo -c -f '#{file_path}' || ( rm -f '#{file_path}' && exit 1)", + command: "visudo -c || ( rm -f '#{file_path}' && exit 1)", refreshonly: 'true' ) end it { is_expected.to contain_file(filename).that_notifies("Exec[sudo-syntax-check for file #{params[:sudo_config_dir]}/0#{params[:priority]}_#{title}]") } it { is_expected.not_to contain_file(filename).that_requires("Exec[sudo-syntax-check for file #{params[:sudo_config_dir]}/0#{params[:priority]}_#{title}]") } end describe 'when removing an sudo entry' do let :params do { ensure: 'absent', priority: 10, content: '%admins ALL=(ALL) NOPASSWD: ALL', sudo_config_dir: '/etc/sudoers.d' } end it do is_expected.to contain_file(filename).with( ensure: 'absent', content: "# This file is managed by Puppet; changes may be overwritten\n%admins ALL=(ALL) NOPASSWD: ALL\n", owner: 'root', group: 'root', path: file_path, mode: '0440' ) end end describe 'when removing an sudo entry with single number priority' do let :params do { ensure: 'absent', priority: 5, content: '%admins ALL=(ALL) NOPASSWD: ALL', sudo_config_dir: '/etc/sudoers.d' } end let(:filename) { '05_admins' } let(:file_path) { '/etc/sudoers.d/05_admins' } it do is_expected.to contain_file(filename).with( ensure: 'absent', content: "# This file is managed by Puppet; changes may be overwritten\n%admins ALL=(ALL) NOPASSWD: ALL\n", owner: 'root', group: 'root', path: file_path, mode: '0440' ) end end describe 'when adding a sudo entry with array content' do let :params do { content: [ '%admins ALL=(ALL) NOPASSWD: ALL', '%wheel ALL=(ALL) NOPASSWD: ALL' ] } end let(:filename) { '10_admins' } let(:file_path) { '/etc/sudoers.d/10_admins' } it do is_expected.to contain_file(filename).with( ensure: 'present', content: "# This file is managed by Puppet; changes may be overwritten\n%admins ALL=(ALL) NOPASSWD: ALL\n%wheel ALL=(ALL) NOPASSWD: ALL\n", owner: 'root', group: 'root', path: file_path, mode: '0440' ) end end end