saz · jay7x · Oct 21, 2024 · Oct 21, 2024 · Oct 21, 2024 · Oct 21, 2024
diff --git a/manifests/allow.pp b/manifests/allow.pp
@@ -42,10 +42,10 @@
 #   }
 #
 class sudo::allow (
-  Array           $add_users      = [],
-  Array           $add_groups     = [],
-  Optional[Array] $replace_users  = undef,
-  Optional[Array] $replace_groups = undef
+  Array[String[1]]           $add_users      = [],
+  Array[String[1]]           $add_groups     = [],
+  Optional[Array[String[1]]] $replace_users  = undef,
+  Optional[Array[String[1]]] $replace_groups = undef
 ) {
   if $replace_users != undef {
     $users = $replace_users
@@ -59,6 +59,6 @@
   }
 
   sudo::conf { 'sudo_users_groups':
-    content  => template("${module_name}/users_groups.erb"),
+    content  => epp("${module_name}/users_groups.epp", { users => $users, groups => $groups }),
   }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -135,7 +135,7 @@
   String[1]                                      $config_file_mode    = $sudo::params::config_file_mode,
   String[1]                                      $config_dir          = $sudo::params::config_dir,
   String[1]                                      $config_dir_mode     = $sudo::params::config_dir_mode,
-  Optional[Array[String[1]]]                     $extra_include_dirs  = undef,
+  Array[String[1]]                               $extra_include_dirs  = [],
   Optional[String[1]]                            $content             = undef,
   Optional[String[1]]                            $content_template    = undef,
   Optional[String[1]]                            $content_string      = undef,
@@ -206,7 +206,15 @@
     } elsif $content_template {
       $content_real = template($content_template)
     } else {
-      $content_real = template($sudo::params::content_template)
+      $content_real = epp($sudo::params::content_template, {
+          config_dir         => $config_dir,
+          defaults           => $defaults,
+          extra_include_dirs => $extra_include_dirs,
+          sudoreplay_discard => $sudoreplay_discard,
+          use_sudoreplay     => $use_sudoreplay,
+          wheel_config       => $wheel_config,
+          secure_path        => $secure_path,
+      })
     }
   }
 

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -11,11 +11,11 @@
     'Debian': {
       case $facts['os']['name'] {
         'Ubuntu': {
-          $content_template = "${content_base}sudoers.ubuntu.erb"
+          $content_template = "${content_base}sudoers.ubuntu.epp"
           $secure_path      = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin:/snap/bin'
         }
         default: {
-          $content_template = "${content_base}sudoers.debian.erb"
+          $content_template = "${content_base}sudoers.debian.epp"
           $secure_path      = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin'
         }
       }
@@ -45,7 +45,7 @@
       $package_admin_file = undef
       $config_file        = '/etc/sudoers'
       $config_dir         = '/etc/sudoers.d'
-      $content_template   = "${content_base}sudoers.rhel.erb"
+      $content_template   = "${content_base}sudoers.rhel.epp"
 
       case [$facts['os']['name'], $facts['os']['release']['major']] {
         ['Amazon', '2023']: {
@@ -72,7 +72,7 @@
       $package_admin_file = undef
       $config_file        = '/etc/sudoers'
       $config_dir         = '/etc/sudoers.d'
-      $content_template   = "${content_base}sudoers.suse.erb"
+      $content_template   = "${content_base}sudoers.suse.epp"
       $secure_path        = '/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin'
       $config_file_group  = 'root'
       $config_dir_keepme  = false
@@ -90,7 +90,7 @@
           $package_admin_file = undef
           $config_file        = '/etc/sudoers'
           $config_dir         = '/etc/sudoers.d'
-          $content_template   = "${content_base}sudoers.omnios.erb"
+          $content_template   = "${content_base}sudoers.omnios.epp"
           $secure_path        = undef
           $config_file_group  = 'root'
           $config_dir_keepme  = false
@@ -105,7 +105,7 @@
           $package_admin_file = undef
           $config_file        = '/opt/local/etc/sudoers'
           $config_dir         = '/opt/local/etc/sudoers.d'
-          $content_template   = "${content_base}sudoers.smartos.erb"
+          $content_template   = "${content_base}sudoers.smartos.epp"
           $secure_path        = undef
           $config_file_group  = 'root'
           $config_dir_keepme  = false
@@ -122,7 +122,7 @@
               $package_admin_file = undef
               $config_file        = '/etc/sudoers'
               $config_dir         = '/etc/sudoers.d'
-              $content_template   = "${content_base}sudoers.solaris.erb"
+              $content_template   = "${content_base}sudoers.solaris.epp"
               $secure_path        = undef
               $config_file_group  = 'root'
               $config_dir_keepme  = false
@@ -137,7 +137,7 @@
               $package_admin_file = '/var/sadm/install/admin/puppet'
               $config_file        = '/etc/sudoers'
               $config_dir         = '/etc/sudoers.d'
-              $content_template   = "${content_base}sudoers.solaris.erb"
+              $content_template   = "${content_base}sudoers.solaris.epp"
               $secure_path        = undef
               $config_file_group  = 'root'
               $config_dir_keepme  = false
@@ -162,7 +162,7 @@
       $package_admin_file = undef
       $config_file        = '/usr/local/etc/sudoers'
       $config_dir         = '/usr/local/etc/sudoers.d'
-      $content_template   = "${content_base}sudoers.freebsd.erb"
+      $content_template   = "${content_base}sudoers.freebsd.epp"
       $secure_path        = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/puppetlabs/bin'
       $config_file_group  = 'wheel'
       $config_dir_keepme  = true
@@ -178,7 +178,7 @@
       $package_admin_file = undef
       $config_file        = '/etc/sudoers'
       $config_dir         = '/etc/sudoers.d'
-      $content_template   = "${content_base}sudoers.openbsd.erb"
+      $content_template   = "${content_base}sudoers.openbsd.epp"
       $config_file_group  = 'wheel'
       $config_dir_keepme  = false
       $package_provider   = undef
@@ -193,7 +193,7 @@
       $package_admin_file = undef
       $config_file        = '/etc/sudoers'
       $config_dir         = '/etc/sudoers.d'
-      $content_template   = "${content_base}sudoers.aix.erb"
+      $content_template   = "${content_base}sudoers.aix.epp"
       $secure_path        = undef
       $config_file_group  = 'system'
       $config_dir_keepme  = false
@@ -209,7 +209,7 @@
       $package_admin_file = undef
       $config_file        = '/etc/sudoers'
       $config_dir         = '/etc/sudoers.d'
-      $content_template   = "${content_base}sudoers.darwin.erb"
+      $content_template   = "${content_base}sudoers.darwin.epp"
       $secure_path        = undef
       $config_file_group  = 'wheel'
       $config_dir_keepme  = false
@@ -229,7 +229,7 @@
           $package_admin_file = undef
           $config_file        = '/etc/sudoers'
           $config_dir         = '/etc/sudoers.d'
-          $content_template   = "${content_base}sudoers.gentoo.erb"
+          $content_template   = "${content_base}sudoers.gentoo.epp"
           $secure_path        = undef
           $config_file_group  = 'root'
           $config_dir_keepme  = false
@@ -245,7 +245,7 @@
           $package_admin_file = undef
           $config_file        = '/etc/sudoers'
           $config_dir         = '/etc/sudoers.d'
-          $content_template   = "${content_base}sudoers.archlinux.erb"
+          $content_template   = "${content_base}sudoers.archlinux.epp"
           $secure_path        = undef
           $config_file_group  = 'root'
           $config_dir_keepme  = false

diff --git a/templates/sudoers.aix.epp b/templates/sudoers.aix.epp
@@ -0,0 +1,116 @@
+<%- |
+  $config_dir,
+  $defaults,
+  $extra_include_dirs,
+  $sudoreplay_discard,
+  $use_sudoreplay,
+  $wheel_config,
+| -%>
+# file managed by puppet (unless config_file_replace=false)
+#
+## sudoers file.
+##
+## This file MUST be edited with the 'visudo' command as root.
+## Failure to use 'visudo' may result in syntax or file permission errors
+## that prevent sudo from running.
+##
+## See the sudoers man page for the details on how to write a sudoers file.
+##
+
+##
+## Host alias specification
+##
+## Groups of machines. These may include host names (optionally with wildcards),
+## IP addresses, network numbers or netgroups.
+# Host_Alias	WEBSERVERS = www1, www2, www3
+
+##
+## User alias specification
+##
+## Groups of users.  These may consist of user names, uids, Unix groups,
+## or netgroups.
+# User_Alias	ADMINS = millert, dowdy, mikef
+
+##
+## Cmnd alias specification
+##
+## Groups of commands.  Often used to group related commands together.
+# Cmnd_Alias	PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
+# 			    /usr/bin/pkill, /usr/bin/top
+
+##
+## Defaults specification
+##
+## You may wish to keep some of the following environment variables
+## when running commands via sudo.
+##
+## Locale settings
+# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
+##
+## Run X applications through sudo; HOME is used to find the
+## .Xauthority file.  Note that other programs use HOME to find
+## configuration files and this may lead to privilege escalation!
+# Defaults env_keep += "HOME"
+##
+## X11 resource path settings
+# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
+##
+## Desktop path settings
+# Defaults env_keep += "QTDIR KDEDIR"
+##
+## Allow sudo-run commands to inherit the callers' ConsoleKit session
+# Defaults env_keep += "XDG_SESSION_COOKIE"
+##
+## Uncomment to enable special input methods.  Care should be taken as
+## this may allow users to subvert the command being run via sudo.
+# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+##
+## Uncomment to enable logging of a command's output, except for
+## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
+# Defaults log_output
+# Defaults!/usr/bin/sudoreplay !log_output
+# Defaults!/usr/local/bin/sudoreplay !log_output
+# Defaults!/sbin/reboot !log_output
+
+<% if $use_sudoreplay { %>
+Defaults log_output
+Defaults!/usr/bin/sudoreplay !log_output
+<% if $sudoreplay_discard { %>
+<% $sudoreplay_discard.each |$command| { -%>
+Defaults!<%= $command %> !log_output
+<% } -%>
+<% } -%>
+<% } -%>
+
+##
+## Runas alias specification
+##
+
+##
+## User privilege specification
+##
+root ALL=(ALL) ALL
+
+## Uncomment to allow members of group wheel to execute any command
+<%- if $wheel_config != 'password' { %># <% } -%>
+%wheel ALL=(ALL) ALL
+
+## Same thing without a password
+<%- if $wheel_config != 'nopassword' { %># <% } -%>
+%wheel ALL=(ALL) NOPASSWD: ALL
+
+## Uncomment to allow members of group sudo to execute any command
+# %sudo	ALL=(ALL) ALL
+
+## Uncomment to allow any user to run sudo if they know the password
+## of the user they are running the command as (root by default).
+# Defaults targetpw  # Ask for the password of the target user
+# ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
+
+## Read drop-in files
+## (the '#' here does not indicate a comment)
+#includedir <%= $config_dir %>
+<% $extra_include_dirs.each |$include_dir| { -%>
+#includedir <%= $include_dir %>
+<% } -%>
+<%= sudo::defaults($defaults) -%>