Merge branch 'master' into enhanced-epp-support

saz · May 13, 2024 · 2accc9b · 2accc9b
2 parents c90fb87 + b6f6cbc
commit 2accc9b
Show file tree

Hide file tree

Showing 27 changed files with 481 additions and 70 deletions.
diff --git a/README.md b/README.md
@@ -39,31 +39,6 @@ If this is not what you're expecting, set `purge` and/or `config_file_replace` t
     }
 ```
 
-#### Selective Purge of sudoers.d Directory
-A combination of `prefix`, `suffix` and `purge_ignore` can be used to purge only files that puppet previously created.
-If `suffix` is specified all puppet created sudoers.d entries will have this suffix apprended to
-the thier file name. If `prefix` is specified all puppet created sudoers.d entries will have this prefix
-prepended. A ruby glob can be used as `ignore` to ignore all files that do not have
-this suffix.
-
-```puppet
-    class{'sudo':
-      suffix => '_puppet',
-      purge_ignore => '*[!_puppet]',
-    }
-```
-
-or
-
-```puppet
-    class{'sudo':
-      prefix => 'puppet_',
-      purge_ignore => '[!puppet_]*',
-    }
-```
-
-Due to limitations in ruby glob the prefix and ignore is recommended.
-
 #### Leave current sudo config as it is
 ```puppet
     class { 'sudo':
@@ -231,6 +206,22 @@ sudo::configs:
                     - 'ALL'
                 'commands':
                     - 'ALL'
+
+##### Override sudoers defaults
+
+You can modify `Default_Entry` lines by passing a `Hash` to `sudo::defaults`, where the key is `Defaults` parameter name (see `man 5 sudoers` for more details):
+
+```yaml
+sudo::defaults:
+    lecture:
+      value: always
+    badpass_message:
+      value: "Password is wrong, please try again"
+    passwd_tries:
+      value: 5
+    insults:
+    mailto:
+      value: [email protected]
 ```
 
 ##### Set a custom name for the sudoers file
@@ -252,31 +243,8 @@ sudo::conf { "foreman-proxy":
 
 ## sudo class parameters
 
-| Parameter           | Type    | Default     | Description |
-| :--------------     | :------ |:----------- | :---------- |
-| enable              | boolean | true        | Set this to remove or purge all sudoers configs |
-| package             | string  | OS specific | Set package name _(for unsupported platforms)_ |
-| package_ensure      | string  | present     | latest, absent, or a specific package version |
-| package_source      | string  | OS specific | Set package source _(for unsupported platforms)_ |
-| purge               | boolean | true        | Purge unmanaged files from config_dir |
-| purge_ignore        | string  | undef       | Files excluded from purging in config_dir |
-| config_file         | string  | OS specific | Set config_file _(for unsupported platforms)_ |
-| config_file_replace | boolean | true        | Replace config file with module config file |
-| includedirsudoers   | boolean | OS specific | Add #includedir /etc/sudoers.d with augeas |
-| config_dir          | string  | OS specific | Set config_dir _(for unsupported platforms)_ |
-| content             | string  | OS specific | Alternate content file location |
-| ldap_enable         | boolean | false       | Add support to LDAP |
-| configs             | hash    | {}          | A hash of sudo::conf's |
+See REFERENCE.md
 
 ## sudo::conf class / sudo::configs hash parameters
 
-| Parameter       | Type   | Default     | Description |
-| :-------------- | :----- |:----------- | :---------- |
-| ensure          | string | present     | present or absent |
-| priority        | number | 10          | file name prefix |
-| content         | string | undef       | content of configuration snippet |
-| source          | string | undef       | source of configuration snippet |
-| template        | string | undef       | template of configuration snippet |
-| template_epp    | hash   | undef       | template and parameters for an epp configuration snippet |
-| sudo_config_dir | string | OS Specific | configuration snippet directory _(for unsupported platforms)_ |
-| sudo_file_name  | string | undef		   | custom file name for sudo file in sudoers directory |
+See REFERENCE.md
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -23,6 +23,15 @@ rpm. so we add a dependencies to the ldap module.
 
 * [`sudo::conf`](#sudo--conf): Manages sudo configuration snippets
 
+### Functions
+
+* [`sudo::defaults`](#sudo--defaults): Formats sudoers defaults config see https://linux.die.net/man/5/sudoers      Default_Type ::= 'Defaults' |                      'Defaults' '@
+
+### Data types
+
+* [`Sudo::Defaults`](#Sudo--Defaults): sudo defaults
+* [`Sudo::Defaults_operator`](#Sudo--Defaults_operator): custom datatype that validates sudo defaults operators
+
 ## Classes
 
 ### <a name="sudo"></a>`sudo`
@@ -43,6 +52,7 @@ The following parameters are available in the `sudo` class:
 
 * [`enable`](#-sudo--enable)
 * [`package`](#-sudo--package)
+* [`package_manage`](#-sudo--package_manage)
 * [`package_ldap`](#-sudo--package_ldap)
 * [`package_ensure`](#-sudo--package_ensure)
 * [`package_source`](#-sudo--package_source)
@@ -70,6 +80,7 @@ The following parameters are available in the `sudo` class:
 * [`wheel_config`](#-sudo--wheel_config)
 * [`sudoreplay_discard`](#-sudo--sudoreplay_discard)
 * [`configs`](#-sudo--configs)
+* [`defaults`](#-sudo--defaults)
 
 ##### <a name="-sudo--enable"></a>`enable`
 
@@ -89,6 +100,14 @@ what you're doing.
 
 Default value: `$sudo::params::package`
 
+##### <a name="-sudo--package_manage"></a>`package_manage`
+
+Data type: `Boolean`
+
+Whether or not to manage the sudo package.
+
+Default value: `true`
+
 ##### <a name="-sudo--package_ldap"></a>`package_ldap`
 
 Data type: `Optional[String[1]]`
@@ -326,6 +345,14 @@ A hash of sudo::conf's
 
 Default value: `{}`
 
+##### <a name="-sudo--defaults"></a>`defaults`
+
+Data type: `Sudo::Defaults`
+
+
+
+Default value: `$sudo::params::defaults`
+
 ### <a name="sudo--allow"></a>`sudo::allow`
 
 This class allows you to take complete advantage of automatic parameter
@@ -497,3 +524,85 @@ Path to use for executing the sudo syntax check
 
 Default value: `'/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'`
 
+## Functions
+
+### <a name="sudo--defaults"></a>`sudo::defaults`
+
+Type: Ruby 4.x API
+
+Formats sudoers defaults config see https://linux.die.net/man/5/sudoers
+
+    Default_Type ::= 'Defaults' |
+                     'Defaults' '@' Host_List |
+                     'Defaults' ':' User_List |
+                     'Defaults' '!' Cmnd_List |
+                     'Defaults' '>' Runas_List
+
+    Default_Entry ::= Default_Type Parameter_List
+
+    Parameter_List ::= Parameter |
+                       Parameter ',' Parameter_List
+
+    Parameter ::= Parameter '=' Value |
+                  Parameter '+=' Value |
+                  Parameter '-=' Value |
+                  '!'* Parameter
+
+The function is passed an Array of Tuples
+e.g. [["env_reset", nil]]
+     [["mailto", {"value" => root}]]
+
+#### `sudo::defaults(Any *$args)`
+
+Formats sudoers defaults config see https://linux.die.net/man/5/sudoers
+
+    Default_Type ::= 'Defaults' |
+                     'Defaults' '@' Host_List |
+                     'Defaults' ':' User_List |
+                     'Defaults' '!' Cmnd_List |
+                     'Defaults' '>' Runas_List
+
+    Default_Entry ::= Default_Type Parameter_List
+
+    Parameter_List ::= Parameter |
+                       Parameter ',' Parameter_List
+
+    Parameter ::= Parameter '=' Value |
+                  Parameter '+=' Value |
+                  Parameter '-=' Value |
+                  '!'* Parameter
+
+The function is passed an Array of Tuples
+e.g. [["env_reset", nil]]
+     [["mailto", {"value" => root}]]
+
+Returns: `String`
+
+##### `*args`
+
+Data type: `Any`
+
+
+
+## Data types
+
+### <a name="Sudo--Defaults"></a>`Sudo::Defaults`
+
+sudo defaults
+
+Alias of
+
+```puppet
+Hash[String, Variant[Struct[{
+                                      Optional[list] => String,
+                                      Optional[operator] => Sudo::Defaults_operator,
+                                      Optional[value] => Variant[String,Numeric],
+                                  }], Undef]]
+```
+
+### <a name="Sudo--Defaults_operator"></a>`Sudo::Defaults_operator`
+
+custom datatype that validates sudo defaults operators
+
+Alias of `Enum['=', '+=', '-=', '!']`
+
diff --git a/lib/puppet/functions/sudo/defaults.rb b/lib/puppet/functions/sudo/defaults.rb
@@ -0,0 +1,61 @@
+# frozen_string_literal: false
+
+# Formats sudoers defaults config see https://linux.die.net/man/5/sudoers
+#
+#     Default_Type ::= 'Defaults' |
+#                      'Defaults' '@' Host_List |
+#                      'Defaults' ':' User_List |
+#                      'Defaults' '!' Cmnd_List |
+#                      'Defaults' '>' Runas_List
+#
+#     Default_Entry ::= Default_Type Parameter_List
+#
+#     Parameter_List ::= Parameter |
+#                        Parameter ',' Parameter_List
+#
+#     Parameter ::= Parameter '=' Value |
+#                   Parameter '+=' Value |
+#                   Parameter '-=' Value |
+#                   '!'* Parameter
+#
+# The function is passed an Array of Tuples
+# e.g. [["env_reset", nil]]
+#      [["mailto", {"value" => root}]]
+Puppet::Functions.create_function(:'sudo::defaults') do
+  dispatch :defaults do
+    repeated_param 'Any', :args
+    return_type 'String'
+  end
+
+  def defaults(*args)
+    res = ''
+    raise "Unsupported number of arguments #{args.size}: #{args.inspect}" if args.nil?
+
+    args.each do |tuple|
+      raise "Unsupported number of arguments #{args.size}: #{args.inspect}" unless tuple.size == 2
+
+      res.concat(defaults_entry(tuple[0], tuple[1]))
+    end
+
+    res
+  end
+
+  def defaults_entry(key, config)
+    entry = "Defaults\t#{key}"
+
+    unless config.nil?
+      entry.concat((config['list']).to_s) if config.key? 'list'
+
+      operator = '='
+      operator = config['operator'] if config.key? 'operator'
+
+      if config.key? 'value'
+        val = config['value'].is_a?(String) ? "\"#{config['value']}\"" : config['value']
+
+        entry.concat("#{operator}#{val}")
+      end
+    end
+
+    entry.concat("\n")
+  end
+end
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -9,6 +9,9 @@
 #   Only set this, if your platform is not supported or you know,
 #   what you're doing.
 #
+# @param package_manage
+#   Whether or not to manage the sudo package.
+#
 # @param package_ldap
 #   Name of the package with ldap support, if ldap_enable is set.
 #
@@ -117,6 +120,7 @@
 class sudo (
   Boolean                                        $enable              = true,
   Optional[String[1]]                            $package             = $sudo::params::package,
+  Boolean                                        $package_manage      = true,
   Optional[String[1]]                            $package_ldap        = $sudo::params::package_ldap,
   String[1]                                      $package_ensure      = $sudo::params::package_ensure,
   Optional[String[1]]                            $package_source      = $sudo::params::package_source,
@@ -144,6 +148,7 @@
   Enum['absent','password','nopassword']         $wheel_config        = $sudo::params::wheel_config,
   Optional[Array[String[1]]]                     $sudoreplay_discard  = undef,
   Hash                                           $configs             = {},
+  Sudo::Defaults                                 $defaults            = $sudo::params::defaults,
 ) inherits sudo::params {
   case $enable {
     true: {
@@ -169,7 +174,7 @@
     }
     default: { fail('no $ldap_enable is set') }
   }
-  if $package_real {
+  if $package_real and $package_manage {
     class { 'sudo::package':
       package            => $package_real,
       package_ensure     => $package_ensure,