sudo: complete refactor

files/sudoers

@@ -0,0 +1,90 @@
+## sudoers file.
+##
+## This file MUST be edited with the 'visudo' command as root.
+## Failure to use 'visudo' may result in syntax or file permission errors
+## that prevent sudo from running.
+##
+## See the sudoers man page for the details on how to write a sudoers file.
+##
+
+##
+## Host alias specification
+##
+## Groups of machines. These may include host names (optionally with wildcards),
+## IP addresses, network numbers or netgroups.
+# Host_Alias	WEBSERVERS = www1, www2, www3
+
+##
+## User alias specification
+##
+## Groups of users.  These may consist of user names, uids, Unix groups,
+## or netgroups.
+# User_Alias	ADMINS = millert, dowdy, mikef
+
+##
+## Cmnd alias specification
+##
+## Groups of commands.  Often used to group related commands together.
+# Cmnd_Alias	PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
+# 			    /usr/bin/pkill, /usr/bin/top
+
+##
+## Defaults specification
+##
+## You may wish to keep some of the following environment variables
+## when running commands via sudo.
+##
+## Locale settings
+# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
+##
+## Run X applications through sudo; HOME is used to find the
+## .Xauthority file.  Note that other programs use HOME to find   
+## configuration files and this may lead to privilege escalation!
+# Defaults env_keep += "HOME"
+##
+## X11 resource path settings
+# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
+##
+## Desktop path settings
+# Defaults env_keep += "QTDIR KDEDIR"
+##
+## Allow sudo-run commands to inherit the callers' ConsoleKit session
+# Defaults env_keep += "XDG_SESSION_COOKIE"
+##
+## Uncomment to enable special input methods.  Care should be taken as
+## this may allow users to subvert the command being run via sudo.
+# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+##
+## Uncomment to enable logging of a command's output, except for
+## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
+# Defaults log_output
+# Defaults!/usr/bin/sudoreplay !log_output
+# Defaults!/usr/local/bin/sudoreplay !log_output
+# Defaults!/sbin/reboot !log_output
+
+##
+## Runas alias specification
+##
+
+##
+## User privilege specification
+##
+root ALL=(ALL) ALL
+
+## Uncomment to allow members of group wheel to execute any command
+# %wheel ALL=(ALL) ALL
+
+## Same thing without a password
+# %wheel ALL=(ALL) NOPASSWD: ALL
+
+## Uncomment to allow members of group sudo to execute any command
+# %sudo	ALL=(ALL) ALL
+
+## Uncomment to allow any user to run sudo if they know the password
+## of the user they are running the command as (root by default).
+# Defaults targetpw  # Ask for the password of the target user
+# ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
+
+## Read drop-in files from /etc/sudoers.d
+## (the '#' here does not indicate a comment)
+#includedir /etc/sudoers.d

manifests/conf.pp

@@ -0,0 +1,27 @@
+define sudo::conf (
+    $ensure     = "present",
+    $content    = "",
+    $source     = "") {
+
+    file { "/etc/sudoers.d/${name}":
+        ensure  => $ensure,
+        owner   => root,
+        group   => root,
+        mode    => 440,
+        content => $content ? {
+            ""      => undef,
+            default => $content,
+        },
+        source  => $source ? {
+            ""      => undef,
+            default => $source,
+        },
+        notify  => Exec["sudo-syntax-check $name"],
+        require => [ Package["sudo"], File["/etc/sudoers.d"], ],
+    }
+
+    exec { "sudo-syntax-check $name":
+        command     => "visudo -c -f /etc/sudoers.d/${name} || ( rm -f /etc/sudoers.d/${name} && exit 1)",
+        refreshonly => true,
+    }
+}

manifests/entry.pp

@@ -0,0 +1,37 @@
+define sudo::entry (
+    $ensure         = "present",
+    $comment        = "",
+    $user_alias     = "",
+    $runas_alias    = "",
+    $host_alias     = "",
+    $cmnd_alias     = "",
+    $tag_spec       = "",
+    $option         = "",
+    $user           = "$name",
+    $command        = "") {
+
+    # sudo skipping file names that contain a "."
+    $alias_name = regsubst($name, '\.', '-', 'G')
+
+    if $host_alias == "" {
+        $host = "ALL"
+    } else {
+        $host = "$alias_name"
+    }
+
+    if $runas_alias == "" {
+        $runas = "ALL"
+    } else {
+        $runas = "$alias_name"
+    }
+
+    if $cmnd_alias == "" {
+        $cmd = $command
+    } else {
+        $cmd = "$alias_name"
+    }
+    sudo::conf { "sudo_entry_${name}":
+        ensure  => $ensure,
+        content => template("sudo/sudoers.entry.erb"),
+    }
+}

manifests/init.pp

@@ -1,130 +1,19 @@
-# Class: sudo
-#
-# Installs sudo and manages config files for sudo. You most likely want to
-# include a sudoer_line as well, so that someone can sudo.
-#
-# Usage
-#   include sudo
-#
-class sudo {
-    include concat::setup
-    include sudo::params
-
-    package { 'sudo':
-        name   => "${params::package_name}",
-        ensure => present,
-    }
-
-    concat { "${sudo::params::sudoers_file}":
-        owner => root,
-        group => root,
-        mode => 440,
-        require => Package['sudo'],
-    }
-}
-
-# Define: sudo::sudoer_line
-#
-# Adds a line to /etc/sudoers via concat.
-#
-# This is lower level than will be used on individual nodes, and some smarter
-# wrappers are provided. Consider using sudo::sudoer and sudo::default.
-#
-# Parameters
-#   $line - The line to put in sudoers.
-#
-# Usage:
-#   # Give the group wheel sudo access the hard way.
-#   sudo::sudoer_line{"wheel_sudo":
-#       $line => "%wheel ALL=(ALL) ALL",
-#   }
-#
-define sudo::sudoers_line ($line) {
-
-    concat::fragment { "$name":
-        target => "${sudo::params::sudoers_file}",
-        content => "${line}\n",
-    }
-}
-
-# Define: sudo::sudoer
-#
-# Grants full sudo access to the named user or group.
-#
-# Parameters:
-#   $name - The name variable. This user/group will be granted sudo access.
-#     If the name starts with a '%', it refers to a group, otherwise a user.
-#
-#   $users - The list of users that $name is allowed to 'impersonate' with
-#     sudo.  Default: "ALL".
-#
-#   $commands - The list of commands that $name is allowed to run with sudo.
-#     Default "ALL".
-#
-#   $password - If true, a password will be required for sudo. If false, a
-#     password will not be required. Default: true.
-#
-# Usage
-#   # Give the group 'wheel' full access to password protected sudo.
-#   sudo::sudoer {"%wheel":}
-#
-#   # Give the user 'mike' access to impersonate only 'apache' without a password
-#   sudo::sudoer {"mike": $users="apache", password => false,}
-#
-define sudo::sudoer ($users="ALL", $commands="ALL", $password=true) {
-    $passwd = $password ? {
-        false   => "NOPASSWD:",
-        default => "PASSWD:",
-    }
-    # Hack hack - http://projects.puppetlabs.com/issues/show/2990
-    $users_str = inline_template("<%= if users.is_a?(String) then users; else users.join(',') end %>")
-    $commands_str = inline_template("<%= if commands.is_a?(String) then commands; else commands.join(',') end %>")
-
-    sudoers_line { "${name}_sudoer":
-        line    => "${name} ALL=(${users_str}) ${passwd}${commands_str}",
-    }
-}
-
-# Define: sudo::default
-#
-# Defines defaults for sudo
-#
-# Parameters:
-#   $name - The name variable. Only used as a part of the file name.
-#
-#   $option - The option to give to defaults. May be a string or an array of
-#     strings. Required.
-#
-#   $sudoers - The list of sudoers this default applies to. If none given, then
-#     the default is global. May be a string or an array of strings. Sudoers
-#     with % before their name refer to groups.
-#
-# Usage:
-#   sudo::default { 'env_reset':
-#       option => 'env_reset',
-#   }
-#
-#   sudo::default { 'wheel_env':
-#       option  => '!env_reset',
-#       sudoers => '%wheel',
-#   }
-#
-#   sudo::default { 'admins':
-#       option => ['timestamp_timeout=10', '!tty_tickets'],
-#       sudoers => ['bob', 'fred', 'alice'],
-#   }
-#
-define sudo::default ($option, $sudoers="") {
-    # Hack hack - http://projects.puppetlabs.com/issues/show/2990
-    $sudoers_str = $sudoers ? {
-        ""      => "",
-        default => inline_template(
-            "<%= if sudoers.is_a?(String) then (':'+sudoers); else (':'+sudoers.join(',')) end %>"
-        )
+class sudo ($ensure = "latest") {
+    package { "sudo":
+        ensure => $ensure,
     }
-    $option_str = inline_template("<%= if option.is_a?(String) then option; else option.join(',') end %>")
 
-    sudoers_line { "${name}_default":
-        line    => "Defaults${sudoers_str} ${option_str}",
+    file {
+        "/etc/sudoers":
+            ensure  => present,
+            owner   => root,
+            group   => root,
+            mode    => 440,
+            source  => "puppet:///modules/sudo/sudoers";
+        "/etc/sudoers.d":
+            ensure  => directory,
+            owner   => root,
+            group   => root,
+            mode    => 750;
     }
 }