From 3328b3d402209171bb32e8e1e91c284d1a431a4e Mon Sep 17 00:00:00 2001 From: root Date: Tue, 16 Apr 2019 15:40:40 -0400 Subject: [PATCH] Added the ability to specify groups as either as string or an array. Modify $sane_name to allow underscores and dashes as well. --- README.md | 4 ++-- manifests/sudoers.pp | 21 +++++++++++++-------- templates/sudoers.erb | 4 +++- 3 files changed, 18 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 59c1a0b..32cb759 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ [![Build Status](https://travis-ci.org/arnoudj/puppet-sudo.png?branch=master)](https://travis-ci.org/arnoudj/puppet-sudo) Allow restricted root access for specified users. The name of the defined -type must consist of only letters, numbers and underscores and should be +type must consist of only letters, numbers, dashes and underscores and should be unique. If the name has incorrect characters the defined type will fail. Sudoers entries realised with the `sudo::sudoers` defined type will be stored in `"/etc/sudoers.d/[typename]"`. @@ -45,7 +45,7 @@ Array of users that are allowed to execute the command(s). ### group -Group that is allowed to execute the command(s). Cannot be combined with 'users'. +String or array of groups that are allowed to execute the command(s). Cannot be combined with 'users'. ### hosts diff --git a/manifests/sudoers.pp b/manifests/sudoers.pp index d410b6b..c44b5fe 100644 --- a/manifests/sudoers.pp +++ b/manifests/sudoers.pp @@ -1,7 +1,7 @@ # == Define: sudo # # Allow restricted root access for specified users. The name of the defined -# type must consist of only letters, numbers and underscores. If the name +# type must consist of only letters, numbers, dashes and underscores. If the name # has incorrect characters the defined type will fail. # # === Parameters @@ -16,7 +16,8 @@ # Array of users that are allowed to execute the command(s). # # [*group*] -# Group that can run the listed commands. Cannot be combined with users. +# String or array of groups that can run the listed commands. +# Cannot be combined with users. # # [*hosts*] # Array of hosts that the command(s) can be executed on. Denying hosts using a @@ -90,20 +91,24 @@ } # filename as per the manual or aliases as per the sudoer spec must not - # contain dots. + # contain dots. Replaces dashes with underscores, too. # As having dots in a username is legit, let's fudge - $sane_name = regsubst($name, '\.', '_', 'G') + $sane_name = regsubst($name, '[\.-]', '_', 'G') $sudoers_user_file = "/etc/sudoers.d/${sane_priority}${sane_name}" - if $sane_name !~ /^[A-Za-z][A-Za-z0-9_]*$/ { - fail "Will not create sudoers file \"${sudoers_user_file}\" (for \"${name}\") should consist of letters numbers or underscores." + if $sane_name !~ /^[A-Za-z][A-Za-z0-9_\-]*$/ { + fail "Will not create sudoers file \"${sudoers_user_file}\" (for \"${name}\") should consist of letters, numbers, dashes or underscores." } if $users != undef and $group != undef { fail 'You cannot define both a list of users and a group. Choose one.' } - - validate_string($group) + + case type3x($group) { + 'string': { $group_array = [ $group ] } + 'array': { $group_array = $group } + default: { fail('$group must be a string or an array. ') } + } if $ensure == 'present' { file { $sudoers_user_file: diff --git a/templates/sudoers.erb b/templates/sudoers.erb index 1e225cc..5503c68 100644 --- a/templates/sudoers.erb +++ b/templates/sudoers.erb @@ -23,5 +23,7 @@ Defaults!<%= @sane_name.upcase %>_CMNDS <%= @defaults.class == Array ? @defaults <% if @users then -%> <%= @sane_name.upcase %>_USERS <%= @sane_name.upcase %>_HOSTS = (<%= @sane_name.upcase %>_RUNAS) <%= tags %> <%= @sane_name.upcase %>_CMNDS <% else -%> -%<%= @group %> <%= @sane_name.upcase %>_HOSTS = (<%= @sane_name.upcase %>_RUNAS) <%= tags %> <%= @sane_name.upcase %>_CMNDS +<% @group_array.each do |this_group| -%> +%<%= this_group %> <%= @sane_name.upcase %>_HOSTS = (<%= @sane_name.upcase %>_RUNAS) <%= tags %> <%= @sane_name.upcase %>_CMNDS +<% end -%> <% end -%>