kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Update cookbooks and add wordpress cookbook

Browse Source
This commit is contained in:
Greg Karékinian
2016-02-19 18:09:49 +01:00
parent 9ba973e3ac
commit 820b0ab3f8
606 changed files with 22421 additions and 14084 deletions
Download Patch File Download Diff File Expand all files Collapse all files

147
cookbooks/sudo/CHANGELOG.md
View File

@@ -1,119 +1,116 @@
v2.7.1 (2014-09-18)
-------------------
- [#53] - removed doublespace from sudoer.erb template
# sudo Cookbook CHANGELOG
This file is used to list changes made in each version of the sudo cookbook.
v2.7.0 (2014-08-08)
-------------------
## v2.9.0 (2016-02-07)
- Updated the provider to avoid writing out config files with periods in the filename when a user has a period in their name as these are skipped by the sudo package. A sudo config for invalid.user will write out a config named invalid_user now.
## v2.8.0 (2016-02-04)
- Added a new attribute to the recipe and provider for adding SETENV to sudoer config
- Updated development deps to the latest version
- Setup test kitchen to run in Travis with kitchen-docker
- Expanded the kitchen.yml config to include additional platforms
- Renamed the test recipe from fake to test
- Updated the testing and contributing docs to the latest
- Added maintainers.toml and maitainers.md
- Added a chefignore file to limit which files get uploaded to the chef server
- Added long_description to the metadata.rb
- Added source_url and issues_url for Supermarket to the metadata.rb
- Resolved all Rubocop warnings
- Updated the Chefspec to the 4.x format
- Removed kitchen cloud testing configs and gem deps
- Removed the Guardfile and the gem deps
## v2.7.2 (2015-07-10)
- Adding support for keep_env
- misc cleanup
## v2.7.1 (2014-09-18)
- [#53] - removed double space from sudoer.erb template
## v2.7.0 (2014-08-08)
- [#44] Add basic ChefSpec matchers
v2.6.0 (2014-05-15)
-------------------
## v2.6.0 (2014-05-15)
- [COOK-4612] Add support for the command alias (Cmnd_Alias) directive
- [COOK-4637] - handle duplicate resources in LWRP
v2.5.2 (2014-02-27)
-------------------
## v2.5.2 (2014-02-27)
Bumping version for toolchain sanity
v2.5.0 (2014-02-27)
-------------------
## v2.5.0 (2014-02-27)
Bumping to 2.5.0
v2.4.2 (2014-02-27)
-------------------
## v2.4.2 (2014-02-27)
[COOK-4350] - Fix issue with "Defaults" line in sudoer.erb
v2.4.0 (2014-02-18)
-------------------
## v2.4.0 (2014-02-18)
### Bug
- **[COOK-4225](https://tickets.opscode.com/browse/COOK-4225)** - Mac OS X: /etc/sudoers: syntax error when include_sudoers_d is true
- **[COOK-4225](https://tickets.chef.io/browse/COOK-4225)** - Mac OS X: /etc/sudoers: syntax error when include_sudoers_d is true
### Improvement
- **[COOK-4014](https://tickets.opscode.com/browse/COOK-4014)** - It should be possible to remove the 'sysadmin' group setting from /etc/sudoers
- **[COOK-3643](https://tickets.opscode.com/browse/COOK-3643)** - FreeBSD support for sudo cookbook
- **[COOK-4014](https://tickets.chef.io/browse/COOK-4014)** - It should be possible to remove the 'sysadmin' group setting from /etc/sudoers
- **[COOK-3643](https://tickets.chef.io/browse/COOK-3643)** - FreeBSD support for sudo cookbook
### New Feature
- **[COOK-3409](https://tickets.opscode.com/browse/COOK-3409)** - enhance sudo lwrp's default template to allow defining default user parameters
- **[COOK-3409](https://tickets.chef.io/browse/COOK-3409)** - enhance sudo lwrp's default template to allow defining default user parameters
v2.3.0
------
## v2.3.0
### Improvement
- **[COOK-3843](https://tickets.opscode.com/browse/COOK-3843)** - Make cookbook 'sudo' compatible with Mac OS X
- **[COOK-3843](https://tickets.chef.io/browse/COOK-3843)** - Make cookbook 'sudo' compatible with Mac OS X
v2.2.2
------
## v2.2.2
### Improvement
- **[COOK-3653](https://tickets.opscode.com/browse/COOK-3653)** - Change template attribute to kind_of String
- **[COOK-3572](https://tickets.opscode.com/browse/COOK-3572)** - Add Test Kitchen, Specs, and Travis CI
- **[COOK-3653](https://tickets.chef.io/browse/COOK-3653)** - Change template attribute to kind_of String
- **[COOK-3572](https://tickets.chef.io/browse/COOK-3572)** - Add Test Kitchen, Specs, and Travis CI
### Bug
- **[COOK-3610](https://tickets.opscode.com/browse/COOK-3610)** - Document "Runas" attribute not described in the LWRP Attributes section
- **[COOK-3431](https://tickets.opscode.com/browse/COOK-3431)** - Validate correctly with `visudo`
- **[COOK-3610](https://tickets.chef.io/browse/COOK-3610)** - Document "Runas" attribute not described in the LWRP Attributes section
- **[COOK-3431](https://tickets.chef.io/browse/COOK-3431)** - Validate correctly with `visudo`
v2.2.0
------
## v2.2.0
### New Feature
- **[COOK-3056](https://tickets.opscode.com/browse/COOK-3056)** - Allow custom sudoers config prefix
- **[COOK-3056](https://tickets.chef.io/browse/COOK-3056)** - Allow custom sudoers config prefix
v2.1.4
------
## v2.1.4
This is a bugfix for 11.6.0 compatibility, as we're not monkey-patching Erubis::Context.
### Bug
- [COOK-3399]: Remove node attribute in comment of sudoers templates
v2.1.2
------
## v2.1.2
### Bug
- [COOK-2388]: Chef::ShellOut is deprecated, please use Mixlib::ShellOut
- [COOK-2814]: Incorrect syntax in README example
v2.1.0
------
* [COOK-2388] - Chef::ShellOut is deprecated, please use Mixlib::ShellOut
* [COOK-2427] - unable to install users cookbook in chef 11
* [COOK-2814] - Incorrect syntax in README example
## v2.1.0
- [COOK-2388] - Chef::ShellOut is deprecated, please use Mixlib::ShellOut
- [COOK-2427] - unable to install users cookbook in chef 11
- [COOK-2814] - Incorrect syntax in README example
v2.0.4
------
* [COOK-2078] - syntax highlighting README on GitHub flavored markdown
* [COOK-2119] - LWRP template doesn't support multiple commands in a single block.
## v2.0.4
- [COOK-2078] - syntax highlighting README on GitHub flavored markdown
- [COOK-2119] - LWRP template doesn't support multiple commands in a single block.
v2.0.2
------
* [COOK-2109] - lwrp uses incorrect action on underlying file resource.
## v2.0.2
- [COOK-2109] - lwrp uses incorrect action on underlying file resource.
v2.0.0
------
## v2.0.0
This is a major release because the LWRP's "nopasswd" attribute is changed from true to false, to match the passwordless attribute in the attributes file. This requires a change to people's LWRP use.
- [COOK-2085] - Incorrect default value in the sudo LWRP's nopasswd attribute
* [COOK-2085] - Incorrect default value in the sudo LWRP's nopasswd attribute
## v1.3.0
- [COOK-1892] - Revamp sudo cookbook and LWRP
- [COOK-2022] - add an attribute for setting /etc/sudoers Defaults
v1.3.0
------
* [COOK-1892] - Revamp sudo cookbook and LWRP
* [COOK-2022] - add an attribute for setting /etc/sudoers Defaults
## v1.2.2
- [COOK-1628] - set host in sudo lwrp
v1.2.2
------
* [COOK-1628] - set host in sudo lwrp
## v1.2.0
- [COOK-1314] - default package action is now :install instead of :upgrade
- [COOK-1549] - Preserve SSH agent credentials upon sudo using an attribute
v1.2.0
------
* [COOK-1314] - default package action is now :install instead of :upgrade
* [COOK-1549] - Preserve SSH agent credentials upon sudo using an attribute
## v1.1.0
- [COOK-350] - LWRP to manage sudo files via include dir (/etc/sudoers.d)
v1.1.0
------
* [COOK-350] - LWRP to manage sudo files via includedir (/etc/sudoers.d)
v1.0.2
------
* [COOK-903] - freebsd support
## v1.0.2
- [COOK-903] - freebsd support

2
cookbooks/sudo/CONTRIBUTING.md Normal file
View File

@@ -0,0 +1,2 @@
Please refer to
https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD

19
cookbooks/sudo/MAINTAINERS.md Normal file
View File

@@ -0,0 +1,19 @@
<!-- This is a generated file. Please do not edit directly -->
# Maintainers
This file lists how this cookbook project is maintained. When making changes to the system, this
file tells you who needs to review your patch - you need a simple majority of maintainers
for the relevant subsystems to provide a :+1: on your pull request. Additionally, you need
to not receive a veto from a Lieutenant or the Project Lead.
Check out [How Cookbooks are Maintained](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD)
for details on the process and how to become a maintainer or the project lead.
# Project Maintainer
* [Tim Smith](https://github.com/tas50)
# Maintainers
* [Jennifer Davis](https://github.com/sigje)
* [Sean OMeara](https://github.com/someara)
* [Tim Smith](https://github.com/tas50)
* [Thom May](https://github.com/thommay)

143
cookbooks/sudo/README.md
View File

@@ -1,30 +1,34 @@
sudo cookbook
=============
[![Build Status](https://secure.travis-ci.org/opscode-cookbooks/sudo.png?branch=master)](http://travis-ci.org/opscode-cookbooks/sudo)
# sudo cookbook
[![Build Status](https://travis-ci.org/chef-cookbooks/sudo.svg?branch=master)](http://travis-ci.org/chef-cookbooks/sudo) [![Cookbook Version](https://img.shields.io/cookbook/v/sudo.svg)](https://supermarket.chef.io/cookbooks/sudo)
The Chef `sudo` cookbook installs the `sudo` package and configures the `/etc/sudoers` file.
It also exposes an LWRP for adding and managing sudoers.
## Requirements
### Platforms
- Debian/Ubuntu
- RHEL/CentOS/Scientific/Amazon/Oracle
- FreeBSD
- Mac OS X
Requirements
------------
The platform has a package named `sudo` and the `sudoers` file is `/etc/sudoers`.
### Chef
- Chef 11+
### Cookbooks
- None
Attributes
----------
## Attributes
- `node['authorization']['sudo']['groups']` - groups to enable sudo access (default: `[ "sysadmin" ]`)
- `node['authorization']['sudo']['users']` - users to enable sudo access (default: `[]`)
- `node['authorization']['sudo']['passwordless']` - use passwordless sudo (default: `false`)
- `node['authorization']['sudo']['include_sudoers_d']` - include and manager `/etc/sudoers.d` (default: `false`)
- `node['authorization']['sudo']['include_sudoers_d']` - include and manage `/etc/sudoers.d` (default: `false`)
- `node['authorization']['sudo']['agent_forwarding']` - preserve `SSH_AUTH_SOCK` when sudoing (default: `false`)
- `node['authorization']['sudo']['sudoers_defaults']` - Array of `Defaults` entries to configure in `/etc/sudoers`
- `node['authorization']['sudo']['setenv']` - Whether to permit preserving of environment with `sudo -E` (default: `false`)
Usage
-----
#### Attributes
## Usage
### Attributes
To use attributes for defining sudoers, set the attributes above on the node (or role) itself:
```json
@@ -56,24 +60,23 @@ default_attributes(
**Note that the template for the sudoers file has the group "sysadmin" with ALL:ALL permission, though the group by default does not exist.**
#### Sudoers Defaults
### Sudoers Defaults
Configure a node attribute, `node['authorization']['sudo']['sudoers_defaults']` as an array of `Defaults` entries to configure in `/etc/sudoers`. A list of examples for common platforms is listed below:
Configure a node attribute,
`node['authorization']['sudo']['sudoers_defaults']` as an array of
`Defaults` entries to configure in `/etc/sudoers`. A list of examples
for common platforms is listed below:
_Debian_
*Debian*
```ruby
node.default['authorization']['sudo']['sudoers_defaults'] = ['env_reset']
```
*Ubuntu 10.04*
_Ubuntu 10.04_
```ruby
node.default['authorization']['sudo']['sudoers_defaults'] = ['env_reset']
```
*Ubuntu 12.04*
_Ubuntu 12.04_
```ruby
node.default['authorization']['sudo']['sudoers_defaults'] = [
'env_reset',
@@ -81,7 +84,8 @@ node.default['authorization']['sudo']['sudoers_defaults'] = [
]
```
*FreeBSD*
_FreeBSD_
```ruby
node.default['authorization']['sudo']['sudoers_defaults'] = [
'env_reset',
@@ -89,8 +93,7 @@ node.default['authorization']['sudo']['sudoers_defaults'] = [
]
```
*RHEL family 5.x*
The version of sudo in RHEL 5 may not support `+=`, as used in `env_keep`, so its a single string.
_RHEL family 5.x_ The version of sudo in RHEL 5 may not support `+=`, as used in `env_keep`, so its a single string.
```ruby
node.default['authorization']['sudo']['sudoers_defaults'] = [
@@ -105,7 +108,8 @@ node.default['authorization']['sudo']['sudoers_defaults'] = [
]
```
*RHEL family 6.x*
_RHEL family 6.x_
```ruby
node.default['authorization']['sudo']['sudoers_defaults'] = [
'!visiblepw',
@@ -121,7 +125,8 @@ node.default['authorization']['sudo']['sudoers_defaults'] = [
]
```
*Mac OS X*
_Mac OS X_
```ruby
node.default['authorization']['sudo']['sudoers_defaults'] = [
'env_reset',
@@ -139,13 +144,12 @@ node.default['authorization']['sudo']['sudoers_defaults'] = [
]
```
#### LWRP
### LWRP
**Note** Sudo version 1.7.2 or newer is required to use the sudo LWRP as it relies on the "#includedir" directive introduced in version 1.7.2. The recipe does not enforce installing the version. To use this LWRP, set `node['authorization']['sudo']['include_sudoers_d']` to `true`.
There are two ways for rendering a sudoer-fragment using this LWRP:
1. Using the built-in template
2. Using a custom, cookbook-level template
1. Using the built-in template
2. Using a custom, cookbook-level template
Both methods will create the `/etc/sudoers.d/#{username}` file with the correct permissions.
@@ -177,7 +181,7 @@ In either case, the following file would be generated in `/etc/sudoers.d/tomcat`
%tomcat ALL=(app_user) /etc/init.d/tomcat restart
```
##### LWRP Attributes
#### LWRP Attributes
<table>
<thead>
<tr>
@@ -238,6 +242,24 @@ case it is not already</td>
<td><tt>['!requiretty','env_reset']</tt></td>
<td></td>
</tr>
<tr>
<td>setenv</td>
<td>whether to permit the preserving of environment with `sudo -E`</td>
<td><tt>true</tt></td>
<td><tt><false></tt></td>
</tr>
<tr>
<td>env_keep_add</td>
<td>array of strings to add to env_keep</td>
<td><tt>['HOME', 'MY_ENV_VAR MY_OTHER_ENV_VAR']</tt></td>
<td></td>
</tr>
<tr>
<td>env_keep_subtract</td>
<td>array of strings to remove from env_keep</td>
<td><tt>['DISPLAY', 'MY_SECURE_ENV_VAR']</tt></td>
<td></td>
</tr>
<tr>
<td>variables</td>
<td>the variables to pass to the custom template</td>
@@ -249,50 +271,49 @@ case it is not already</td>
**If you use the template attribute, all other attributes will be ignored except for the variables attribute.**
Development
-----------
## Development
This section details "quick development" steps. For a detailed explanation, see [[Contributing.md]].
- Clone this repository from GitHub:
1. Clone this repository from GitHub:
```
$ git clone git@github.com:chef-cookbooks/sudo.git
```
$ git clone git@github.com:opscode-cookbooks/sudo.git
- Create a git branch
2. Create a git branch
```
$ git checkout -b my_bug_fix
```
$ git checkout -b my_bug_fix
- Install dependencies:
3. Install dependencies:
```
$ bundle install
```
$ bundle install
4. Make your changes/patches/fixes, committing appropiately
5. **Write tests**
6. Run the tests:
- `bundle exec foodcritic -f any .`
- `bundle exec rspec`
- `bundle exec rubocop`
- `bundle exec kitchen test`
- Make your changes/patches/fixes, committing appropiately
- **Write tests**
- Run the tests:
- `bundle exec foodcritic -f any .`
- `bundle exec rspec`
- `bundle exec rubocop`
- `bundle exec kitchen test`
In detail:
- Foodcritic will catch any Chef-specific style errors
- RSpec will run the unit tests
- Rubocop will check for Ruby-specific style errors
- Test Kitchen will run and converge the recipes
- Foodcritic will catch any Chef-specific style errors
- RSpec will run the unit tests
- Rubocop will check for Ruby-specific style errors
- Test Kitchen will run and converge the recipes
## License & Authors
**Author:** Bryan W. Berry [bryan.berry@gmail.com](mailto:bryan.berry@gmail.com)
**Author:** Cookbook Engineering Team ([cookbooks@chef.io](mailto:cookbooks@chef.io))
License and Authors
-------------------
- Author:: Bryan W. Berry <bryan.berry@gmail.com>
- Author:: Adam Jacob <adam@opscode.com>
- Author:: Seth Chisamore <schisamo@opscode.com>
- Author:: Seth Vargo <sethvargo@gmail.com>
```text
Copyright 2009-2012, Opscode, Inc.
**Copyright:** 2008-2016, Chef Software, Inc.
```
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

21
cookbooks/sudo/attributes/default.rb
View File

@@ -2,7 +2,7 @@
# Cookbook Name:: sudo
# Attribute File:: default
#
# Copyright 2008-2013, Opscode, Inc.
# Copyright 2008-2016, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -20,16 +20,19 @@
default['authorization']['sudo']['groups'] = ['sysadmin']
default['authorization']['sudo']['users'] = []
default['authorization']['sudo']['passwordless'] = false
default['authorization']['sudo']['setenv'] = false
default['authorization']['sudo']['include_sudoers_d'] = false
default['authorization']['sudo']['agent_forwarding'] = false
default['authorization']['sudo']['sudoers_defaults'] = ['!lecture,tty_tickets,!fqdn']
default['authorization']['sudo']['command_aliases'] = []
default['authorization']['sudo']['env_keep_add'] = []
default['authorization']['sudo']['env_keep_subtract'] = []
case node['platform_family']
when 'smartos'
default['authorization']['sudo']['prefix'] = '/opt/local/etc'
when 'freebsd'
default['authorization']['sudo']['prefix'] = '/usr/local/etc'
else
default['authorization']['sudo']['prefix'] = '/etc'
end
default['authorization']['sudo']['prefix'] = case node['platform_family']
when 'smartos'
'/opt/local/etc'
when 'freebsd'
'/usr/local/etc'
else
'/etc'
end

72
cookbooks/sudo/metadata.json
View File

File diff suppressed because one or more lines are too long

46
cookbooks/sudo/metadata.rb
View File

@@ -1,46 +0,0 @@
name 'sudo'
maintainer 'Opscode, Inc.'
maintainer_email 'cookbooks@opscode.com'
license 'Apache 2.0'
description 'Installs sudo and configures /etc/sudoers'
version '2.7.1'
recipe 'sudo', 'Installs sudo and configures /etc/sudoers'
%w(redhat centos fedora ubuntu debian freebsd mac_os_x).each do |os|
supports os
end
attribute 'authorization',
:display_name => 'Authorization',
:description => 'Hash of Authorization attributes',
:type => 'hash'
attribute 'authorization/sudo',
:display_name => 'Authorization Sudoers',
:description => 'Hash of Authorization/Sudo attributes',
:type => 'hash'
attribute 'authorization/sudo/users',
:display_name => 'Sudo Users',
:description => 'Users who are allowed sudo ALL',
:type => 'array',
:default => ''
attribute 'authorization/sudo/groups',
:display_name => 'Sudo Groups',
:description => 'Groups who are allowed sudo ALL',
:type => 'array',
:default => ''
attribute 'authorization/sudo/passwordless',
:display_name => 'Passwordless Sudo',
:description => '',
:type => 'string',
:default => 'false'
attribute 'authorization/sudo/include_sudoers_d',
:display_name => 'Include sudoers.d',
:description => 'Whether to create the sudoers.d includedir',
:type => 'string',
:default => 'false'

59
cookbooks/sudo/providers/default.rb
View File

@@ -26,12 +26,12 @@ def whyrun_supported?
end
# Ensure that the inputs are valid (we cannot just use the resource for this)
def check_inputs(user, group, foreign_template, foreign_vars)
def check_inputs(user, group, foreign_template, _foreign_vars)
# if group, user, and template are nil, throw an exception
if user.nil? && group.nil? && foreign_template.nil?
fail 'You must provide a user, group, or template!'
raise 'You must provide a user, group, or template!'
elsif !user.nil? && !group.nil? && !template.nil?
fail 'You cannot specify user, group, and template!'
raise 'You cannot specify user, group, and template!'
end
end
@@ -66,31 +66,34 @@ def render_sudoer
if new_resource.template
Chef::Log.debug('Template attribute provided, all other attributes ignored.')
resource = template "#{node['authorization']['sudo']['prefix']}/sudoers.d/#{new_resource.name}" do
source new_resource.template
owner 'root'
group node['root_group']
mode '0440'
variables new_resource.variables
action :nothing
resource = template "#{node['authorization']['sudo']['prefix']}/sudoers.d/#{sudo_filename}" do
source new_resource.template
owner 'root'
group node['root_group']
mode '0440'
variables new_resource.variables
action :nothing
end
else
sudoer = new_resource.user || "%#{new_resource.group}".squeeze('%')
resource = template "#{node['authorization']['sudo']['prefix']}/sudoers.d/#{new_resource.name}" do
source 'sudoer.erb'
cookbook 'sudo'
owner 'root'
group node['root_group']
mode '0440'
variables :sudoer => sudoer,
:host => new_resource.host,
:runas => new_resource.runas,
:nopasswd => new_resource.nopasswd,
:commands => new_resource.commands,
:command_aliases => new_resource.command_aliases,
:defaults => new_resource.defaults
action :nothing
resource = template "#{node['authorization']['sudo']['prefix']}/sudoers.d/#{sudo_filename}" do
source 'sudoer.erb'
cookbook 'sudo'
owner 'root'
group node['root_group']
mode '0440'
variables sudoer: sudoer,
host: new_resource.host,
runas: new_resource.runas,
nopasswd: new_resource.nopasswd,
commands: new_resource.commands,
command_aliases: new_resource.command_aliases,
defaults: new_resource.defaults,
setenv: new_resource.setenv,
env_keep_add: new_resource.env_keep_add,
env_keep_subtract: new_resource.env_keep_subtract
action :nothing
end
end
@@ -107,7 +110,7 @@ end
action :install do
target = "#{node['authorization']['sudo']['prefix']}/sudoers.d/"
unless ::File.exists?(target)
unless ::File.exist?(target)
sudoers_dir = directory target
sudoers_dir.run_action(:create)
end
@@ -126,6 +129,12 @@ end
private
# acording to the sudo man pages sudo will ignore files in an include dir that have a `.` or `~`
# It is quite common for users to have a `.` in their login, so we will convert this to `__`
def sudo_filename
new_resource.name.gsub(/\./, '__')
end
# Capture a template to a string
def capture(template)
context = {}

39
cookbooks/sudo/recipes/default.rb
View File

@@ -2,7 +2,7 @@
# Cookbook Name:: sudo
# Recipe:: default
#
# Copyright 2008-2013, Opscode, Inc.
# Copyright 2008-2016, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -25,31 +25,34 @@ end
if node['authorization']['sudo']['include_sudoers_d']
directory "#{prefix}/sudoers.d" do
mode '0755'
owner 'root'
group node['root_group']
mode '0755'
owner 'root'
group node['root_group']
end
cookbook_file "#{prefix}/sudoers.d/README" do
source 'README'
mode '0440'
owner 'root'
group node['root_group']
source 'README'
mode '0440'
owner 'root'
group node['root_group']
end
end
template "#{prefix}/sudoers" do
source 'sudoers.erb'
mode '0440'
owner 'root'
group node['root_group']
mode '0440'
owner 'root'
group node['root_group']
variables(
:sudoers_groups => node['authorization']['sudo']['groups'],
:sudoers_users => node['authorization']['sudo']['users'],
:passwordless => node['authorization']['sudo']['passwordless'],
:include_sudoers_d => node['authorization']['sudo']['include_sudoers_d'],
:agent_forwarding => node['authorization']['sudo']['agent_forwarding'],
:sudoers_defaults => node['authorization']['sudo']['sudoers_defaults'],
:command_aliases => node['authorization']['sudo']['command_aliases']
sudoers_groups: node['authorization']['sudo']['groups'],
sudoers_users: node['authorization']['sudo']['users'],
passwordless: node['authorization']['sudo']['passwordless'],
setenv: node['authorization']['sudo']['setenv'],
include_sudoers_d: node['authorization']['sudo']['include_sudoers_d'],
agent_forwarding: node['authorization']['sudo']['agent_forwarding'],
sudoers_defaults: node['authorization']['sudo']['sudoers_defaults'],
command_aliases: node['authorization']['sudo']['command_aliases'],
env_keep_add: node['authorization']['sudo']['env_keep_add'],
env_keep_subtract: node['authorization']['sudo']['env_keep_subtract']
)
end

29
cookbooks/sudo/resources/default.rb
View File

@@ -20,23 +20,26 @@
actions :install, :remove
default_action :install
attribute :user, :kind_of => String, :default => nil
attribute :group, :kind_of => String, :default => nil
attribute :commands, :kind_of => Array, :default => ['ALL']
attribute :host, :kind_of => String, :default => 'ALL'
attribute :runas, :kind_of => String, :default => 'ALL'
attribute :nopasswd, :equal_to => [true, false], :default => false
attribute :template, :kind_of => String, :default => nil
attribute :variables, :kind_of => Hash, :default => nil
attribute :defaults, :kind_of => Array, :default => []
attribute :command_aliases, :kind_of => Array, :default => []
attribute :user, kind_of: String, default: nil
attribute :group, kind_of: String, default: nil
attribute :commands, kind_of: Array, default: ['ALL']
attribute :host, kind_of: String, default: 'ALL'
attribute :runas, kind_of: String, default: 'ALL'
attribute :nopasswd, equal_to: [true, false], default: false
attribute :template, kind_of: String, default: nil
attribute :variables, kind_of: Hash, default: nil
attribute :defaults, kind_of: Array, default: []
attribute :command_aliases, kind_of: Array, default: []
attribute :setenv, equal_to: [true, false], default: false
attribute :env_keep_add, kind_of: Array, default: []
attribute :env_keep_subtract, kind_of: Array, default: []
# Set default for the supports attribute in initializer since it is
# a 'reserved' attribute name
def initialize(*args)
super
@action = :install
@supports = { :report => true, :exception => true }
@supports = { report: true, exception: true }
end
state_attrs :commands,
@@ -47,4 +50,6 @@ state_attrs :commands,
:template,
:user,
:variables,
:command_aliases
:command_aliases,
:env_keep_add,
:env_keep_subtract

10
cookbooks/sudo/templates/default/sudoer.erb
View File

@@ -5,8 +5,16 @@
Cmnd_Alias <%= a[:name].upcase %> = <%= a[:command_list].join(', ') %>
<% end -%>
<% @env_keep_add.each do |env_keep| -%>
Defaults env_keep += "<%= env_keep %>"
<% end -%>
<% @env_keep_subtract.each do |env_keep| -%>
Defaults env_keep -= "<%= env_keep %>"
<% end -%>
<% @commands.each do |command| -%>
<%= @sudoer %> <%= @host %>=(<%= @runas %>) <%= 'NOPASSWD:' if @nopasswd %><%= command %>
<%= @sudoer %> <%= @host %>=(<%= @runas %>) <%= 'NOPASSWD:' if @nopasswd %><%= 'SETENV:' if @setenv %><%= command %>
<% end -%>
<% unless @defaults.empty? %>

5
cookbooks/sudo/templates/default/sudoers.erb
View File

@@ -16,12 +16,13 @@ Cmnd_Alias <%= a[:name].upcase %> = <%= a[:command_list].join(', ') %>
<% end -%>
<% @sudoers_users.each do |user| -%>
<%= user %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless %>ALL
<%= user %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless %><%= "SETENV:" if @setenv %>ALL
<% end -%>
<% @sudoers_groups.each do |group| -%>
# Members of the group '<%= group %>' may gain root privileges
%<%= group %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless %>ALL
%<%= group %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless %><%= "SETENV:" if @setenv %>ALL
<% end -%>
# This is not a comment; see sudoers(5) for more information on "#include" directives
<%= "#includedir #{node['authorization']['sudo']['prefix']}/sudoers.d" if @include_sudoers_d %>

4
cookbooks/sudo/templates/mac_os_x/sudoers.erb
View File

@@ -12,12 +12,12 @@ Defaults env_keep+=SSH_AUTH_SOCK
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
<% @sudoers_users.each do |user| -%>
<%= user %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless %>ALL
<%= user %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless %><%= "SETENV:" if @setenv %>ALL
<% end -%>
<% @sudoers_groups.each do |group| -%>
# Members of the group '<%= group %>' may gain root privileges
%<%= group %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless %>ALL
%<%= group %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless %><%= "SETENV:" if @setenv %>ALL
<% end -%>
<%= "#includedir #{node['authorization']['sudo']['prefix']}/sudoers.d" if @include_sudoers_d %>