kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Update upstream cookbooks

Browse Source
This commit is contained in:
Greg Karékinian
2017-03-20 13:19:10 +00:00
parent bfd2d52ea8
commit bcfd44b923
340 changed files with 12576 additions and 5465 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
cookbooks/sudo/CHANGELOG.md
View File

@@ -1,10 +1,49 @@
# sudo Cookbook CHANGELOG
This file is used to list changes made in each version of the sudo cookbook.
## 3.3.1 (2017-01-17)
- fixed command_aliases in README
## 3.3.0 (2017-01-04)
- Add attributes for env_keep_add and env_keep_subtract for the base sudoers file
- Sanitize file names in the :remove action so we remove the proper files
## 3.2.0 (2016-12-27)
- Convert ~ to __ like we do for i (sudoers.d files)
## 3.1.0 (2016-10-24)
- add attribute custom_commands for user and group
## 3.0.0 (2016-09-08)
- Testing updates
- Require Chef 12.1+
## 2.11.0 (2016-08-09)
- Add support for NOEXEC flag
## v2.10.0 (2016-08-04)
- Added a warning to the LWRP if include_sudoers_d is set to false
- Enabled use_inline_resources in the LWRP
- Added IBM zlinux as a supported platform
- Added suse, opensuse, and opensuseleap to the metadata as they are now tested platforms
- Added chef_version metadata to metadata.rb
- Removed attributes from the metadata.rb as this serves little purpose
- Converted bats integration tests to inspec
- Switched from rubocop to cookstyle for Ruby linting
- Removed the need for the apt cookbook in the test suite by using the apt_update resource instead
- Switched from kitchen-docker to kitchen-dokken and enabled Debian/Opensuse platforms in Travis
## v2.9.0 (2016-02-07)
- Updated the provider to avoid writing out config files with periods in the filename when a user has a period in their name as these are skipped by the sudo package. A sudo config for invalid.user will write out a config named invalid_user now.
## v2.8.0 (2016-02-04)
- Added a new attribute to the recipe and provider for adding SETENV to sudoer config
- Updated development deps to the latest version
- Setup test kitchen to run in Travis with kitchen-docker
@@ -21,96 +60,133 @@ This file is used to list changes made in each version of the sudo cookbook.
- Removed the Guardfile and the gem deps
## v2.7.2 (2015-07-10)
- Adding support for keep_env
- misc cleanup
## v2.7.1 (2014-09-18)
- [#53] - removed double space from sudoer.erb template
## v2.7.0 (2014-08-08)
- [#44] Add basic ChefSpec matchers
## v2.6.0 (2014-05-15)
- [COOK-4612] Add support for the command alias (Cmnd_Alias) directive
- [COOK-4637] - handle duplicate resources in LWRP
## v2.5.2 (2014-02-27)
Bumping version for toolchain sanity
## v2.5.0 (2014-02-27)
Bumping to 2.5.0
## v2.4.2 (2014-02-27)
[COOK-4350] - Fix issue with "Defaults" line in sudoer.erb
## v2.4.0 (2014-02-18)
**BREAKING CHANGE**: The `sysadmin` group has been removed from the template. You will lose sudo access if:
- You have users that depend on the sysadmin group for sudo access, and
- You are overriding authorization.sudo.groups, but not including `sysadmin` in the list of groups
### Bug
- **[COOK-4225](https://tickets.chef.io/browse/COOK-4225)** - Mac OS X: /etc/sudoers: syntax error when include_sudoers_d is true
### Improvement
- **[COOK-4014](https://tickets.chef.io/browse/COOK-4014)** - It should be possible to remove the 'sysadmin' group setting from /etc/sudoers
- **[COOK-3643](https://tickets.chef.io/browse/COOK-3643)** - FreeBSD support for sudo cookbook
### New Feature
- **[COOK-3409](https://tickets.chef.io/browse/COOK-3409)** - enhance sudo lwrp's default template to allow defining default user parameters
## v2.3.0
### Improvement
- **[COOK-3843](https://tickets.chef.io/browse/COOK-3843)** - Make cookbook 'sudo' compatible with Mac OS X
## v2.2.2
### Improvement
- **[COOK-3653](https://tickets.chef.io/browse/COOK-3653)** - Change template attribute to kind_of String
- **[COOK-3572](https://tickets.chef.io/browse/COOK-3572)** - Add Test Kitchen, Specs, and Travis CI
### Bug
- **[COOK-3610](https://tickets.chef.io/browse/COOK-3610)** - Document "Runas" attribute not described in the LWRP Attributes section
- **[COOK-3431](https://tickets.chef.io/browse/COOK-3431)** - Validate correctly with `visudo`
## v2.2.0
### New Feature
- **[COOK-3056](https://tickets.chef.io/browse/COOK-3056)** - Allow custom sudoers config prefix
## v2.1.4
This is a bugfix for 11.6.0 compatibility, as we're not monkey-patching Erubis::Context.
### Bug
- [COOK-3399]: Remove node attribute in comment of sudoers templates
## v2.1.2
### Bug
- [COOK-2388]: Chef::ShellOut is deprecated, please use Mixlib::ShellOut
- [COOK-2814]: Incorrect syntax in README example
## v2.1.0
- [COOK-2388] - Chef::ShellOut is deprecated, please use Mixlib::ShellOut
- [COOK-2427] - unable to install users cookbook in chef 11
- [COOK-2814] - Incorrect syntax in README example
## v2.0.4
- [COOK-2078] - syntax highlighting README on GitHub flavored markdown
- [COOK-2119] - LWRP template doesn't support multiple commands in a single block.
## v2.0.2
- [COOK-2109] - lwrp uses incorrect action on underlying file resource.
## v2.0.0
This is a major release because the LWRP's "nopasswd" attribute is changed from true to false, to match the passwordless attribute in the attributes file. This requires a change to people's LWRP use.
- [COOK-2085] - Incorrect default value in the sudo LWRP's nopasswd attribute
## v1.3.0
- [COOK-1892] - Revamp sudo cookbook and LWRP
- [COOK-2022] - add an attribute for setting /etc/sudoers Defaults
## v1.2.2
- [COOK-1628] - set host in sudo lwrp
## v1.2.0
- [COOK-1314] - default package action is now :install instead of :upgrade
- [COOK-1549] - Preserve SSH agent credentials upon sudo using an attribute
## v1.1.0
- [COOK-350] - LWRP to manage sudo files via include dir (/etc/sudoers.d)
## v1.0.2
- [COOK-903] - freebsd support

10
cookbooks/sudo/MAINTAINERS.md
View File

@@ -1,19 +1,15 @@
<!-- This is a generated file. Please do not edit directly -->
# Maintainers
This file lists how this cookbook project is maintained. When making changes to the system, this
file tells you who needs to review your patch - you need a simple majority of maintainers
for the relevant subsystems to provide a :+1: on your pull request. Additionally, you need
to not receive a veto from a Lieutenant or the Project Lead.
Check out [How Cookbooks are Maintained](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD)
for details on the process and how to become a maintainer or the project lead.
This file lists how this cookbook project is maintained. When making changes to the system, this file tells you who needs to review your patch - you need a review from an existing maintainer for the cookbook to provide a :+1: on your pull request. Additionally, you need to not receive a veto from a Lieutenant or the Project Lead.
Check out [How Cookbooks are Maintained](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD) for details on the process and how to become a maintainer or the project lead.
# Project Maintainer
* [Tim Smith](https://github.com/tas50)
# Maintainers
* [Jennifer Davis](https://github.com/sigje)
* [Sean OMeara](https://github.com/someara)
* [Tim Smith](https://github.com/tas50)
* [Thom May](https://github.com/thommay)

54
cookbooks/sudo/README.md
View File

@@ -1,4 +1,5 @@
# sudo cookbook
[![Build Status](https://travis-ci.org/chef-cookbooks/sudo.svg?branch=master)](http://travis-ci.org/chef-cookbooks/sudo) [![Cookbook Version](https://img.shields.io/cookbook/v/sudo.svg)](https://supermarket.chef.io/cookbooks/sudo)
The Chef `sudo` cookbook installs the `sudo` package and configures the `/etc/sudoers` file.
@@ -6,16 +7,21 @@ The Chef `sudo` cookbook installs the `sudo` package and configures the `/etc/su
It also exposes an LWRP for adding and managing sudoers.
## Requirements
### Platforms
- Debian/Ubuntu
- RHEL/CentOS/Scientific/Amazon/Oracle
- FreeBSD
- Mac OS X
- openSUSE / Suse
### Chef
- Chef 11+
- Chef 12.1+
### Cookbooks
- None
## Attributes
@@ -45,6 +51,44 @@ To use attributes for defining sudoers, set the attributes above on the node (or
}
```
```json
{
"default_attributes": {
"authorization": {
"sudo": {
"command_aliases": [{
"name": "TEST",
"command_list": [
"/usr/bin/ls",
"/usr/bin/cat"
]
}],
"custom_commands": {
"users": [
{
"user": "test_user",
"passwordless": true,
"command_list": [
"TEST"
]
}
],
"groups": [
{
"group": "test_group",
"passwordless": false,
"command_list": [
"TEST"
]
}
]
}
}
}
}
}
```
```ruby
# roles/example.rb
default_attributes(
@@ -151,7 +195,7 @@ There are two ways for rendering a sudoer-fragment using this LWRP:
1. Using the built-in template
2. Using a custom, cookbook-level template
Both methods will create the `/etc/sudoers.d/#{username}` file with the correct permissions.
Both methods will create the `/etc/sudoers.d/#{resourcename}` file with the correct permissions.
The LWRP also performs **fragment validation**. If a sudoer-fragment is not valid, the Chef run will throw an exception and fail. This ensures that your sudoers file is always valid and cannot become corrupt (from this cookbook).
@@ -218,6 +262,12 @@ case it is not already</td>
<td><tt>true</tt></td>
<td><tt>false</tt></td>
</tr>
<tr>
<td>noexec</td>
<td>prevents commands from shelling out</td>
<td><tt>true</tt></td>
<td><tt>false</tt></td>
</tr>
<tr>
<td>runas</td>
<td>User the command(s) can be run as</td>

8
cookbooks/sudo/attributes/default.rb
View File

@@ -1,8 +1,8 @@
#
# Cookbook Name:: sudo
# Attribute File:: default
# Cookbook:: sudo
# Attribute:: File:: default
#
# Copyright 2008-2016, Chef Software, Inc.
# Copyright:: 2008-2016, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,6 +27,8 @@ default['authorization']['sudo']['sudoers_defaults'] = ['!lecture,tty_tickets,!
default['authorization']['sudo']['command_aliases'] = []
default['authorization']['sudo']['env_keep_add'] = []
default['authorization']['sudo']['env_keep_subtract'] = []
default['authorization']['sudo']['custom_commands']['users'] = []
default['authorization']['sudo']['custom_commands']['groups'] = []
default['authorization']['sudo']['prefix'] = case node['platform_family']
when 'smartos'

2
cookbooks/sudo/metadata.json
View File

File diff suppressed because one or more lines are too long

18
cookbooks/sudo/providers/default.rb
View File

@@ -1,11 +1,11 @@
#
# Author:: Bryan W. Berry (<bryan.berry@gmail.com>)
# Author:: Seth Vargo (<sethvargo@gmail.com>)
# Cookbook Name:: sudo
# Cookbook:: sudo
# Provider:: default
#
# Copyright 2011, Bryan w. Berry
# Copyright 2012, Seth Vargo
# Copyright:: 2011-2016, Bryan w. Berry
# Copyright:: 2012-2016, Seth Vargo
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -20,6 +20,8 @@
# limitations under the License.
#
use_inline_resources
# This LWRP supports whyrun mode
def whyrun_supported?
true
@@ -45,7 +47,7 @@ def validate_fragment!(resource)
file.rewind
cmd = Mixlib::ShellOut.new("visudo -cf #{file.path}").run_command
unless cmd.exitstatus == 0
unless cmd.exitstatus.zero?
Chef::Log.error("Fragment validation failed: \n\n")
Chef::Log.error(file.read)
Chef::Application.fatal!("Template #{file.path} failed fragment validation!")
@@ -87,6 +89,7 @@ def render_sudoer
host: new_resource.host,
runas: new_resource.runas,
nopasswd: new_resource.nopasswd,
noexec: new_resource.noexec,
commands: new_resource.commands,
command_aliases: new_resource.command_aliases,
defaults: new_resource.defaults,
@@ -115,12 +118,13 @@ action :install do
sudoers_dir.run_action(:create)
end
Chef::Log.warn("#{sudo_filename} will be rendered, but will not take effect because node['authorization']['sudo']['include_sudoers_d'] is set to false!") unless node['authorization']['sudo']['include_sudoers_d']
new_resource.updated_by_last_action(true) if render_sudoer
end
# Removes a user from the sudoers group
action :remove do
resource = file "#{node['authorization']['sudo']['prefix']}/sudoers.d/#{new_resource.name}" do
resource = file "#{node['authorization']['sudo']['prefix']}/sudoers.d/#{sudo_filename}" do
action :nothing
end
resource.run_action(:delete)
@@ -130,9 +134,9 @@ end
private
# acording to the sudo man pages sudo will ignore files in an include dir that have a `.` or `~`
# It is quite common for users to have a `.` in their login, so we will convert this to `__`
# We convert either to `__`
def sudo_filename
new_resource.name.gsub(/\./, '__')
new_resource.name.gsub(/[\.~]/, '__')
end
# Capture a template to a string

8
cookbooks/sudo/recipes/default.rb
View File

@@ -1,8 +1,8 @@
#
# Cookbook Name:: sudo
# Cookbook:: sudo
# Recipe:: default
#
# Copyright 2008-2016, Chef Software, Inc.
# Copyright:: 2008-2016, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -53,6 +53,8 @@ template "#{prefix}/sudoers" do
sudoers_defaults: node['authorization']['sudo']['sudoers_defaults'],
command_aliases: node['authorization']['sudo']['command_aliases'],
env_keep_add: node['authorization']['sudo']['env_keep_add'],
env_keep_subtract: node['authorization']['sudo']['env_keep_subtract']
env_keep_subtract: node['authorization']['sudo']['env_keep_subtract'],
custom_commands_users: node['authorization']['sudo']['custom_commands']['users'],
custom_commands_groups: node['authorization']['sudo']['custom_commands']['groups']
)
end

6
cookbooks/sudo/resources/default.rb
View File

@@ -1,9 +1,9 @@
#
# Author:: Bryan W. Berry (<bryan.berry@gmail.com>)
# Cookbook Name:: sudo
# Cookbook:: sudo
# Resource:: default
#
# Copyright 2011-2013, Bryan w. Berry
# Copyright:: 2011-2016, Bryan w. Berry
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -26,6 +26,7 @@ attribute :commands, kind_of: Array, default: ['ALL']
attribute :host, kind_of: String, default: 'ALL'
attribute :runas, kind_of: String, default: 'ALL'
attribute :nopasswd, equal_to: [true, false], default: false
attribute :noexec, equal_to: [true, false], default: false
attribute :template, kind_of: String, default: nil
attribute :variables, kind_of: Hash, default: nil
attribute :defaults, kind_of: Array, default: []
@@ -46,6 +47,7 @@ state_attrs :commands,
:group,
:host,
:nopasswd,
:noexec,
:runas,
:template,
:user,

2
cookbooks/sudo/templates/default/sudoer.erb
View File

@@ -14,7 +14,7 @@ Defaults env_keep -= "<%= env_keep %>"
<% end -%>
<% @commands.each do |command| -%>
<%= @sudoer %> <%= @host %>=(<%= @runas %>) <%= 'NOPASSWD:' if @nopasswd %><%= 'SETENV:' if @setenv %><%= command %>
<%= @sudoer %> <%= @host %>=(<%= @runas %>) <%= 'NOEXEC:' if @noexec %><%= 'NOPASSWD:' if @nopasswd %><%= 'SETENV:' if @setenv %><%= command %>
<% end -%>
<% unless @defaults.empty? %>

16
cookbooks/sudo/templates/default/sudoers.erb
View File

@@ -7,10 +7,26 @@ Defaults <%= defaults %>
<% if @agent_forwarding -%>
Defaults env_keep+=SSH_AUTH_SOCK
<% end -%>
<% @env_keep_add.each do |env_keep| -%>
Defaults env_keep += "<%= env_keep %>"
<% end -%>
<% @env_keep_subtract.each do |env_keep| -%>
Defaults env_keep -= "<%= env_keep %>"
<% end -%>
# User privilege specification
root ALL=(ALL) ALL
<% @custom_commands_users.each do |commands| -%>
# Privileges for specific command <%= commands[:command_list].join(', ') %> for user <%= commands[:user] %>
<%= commands[:user] %> ALL = <%= "NOPASSWD:" if commands[:passwordless] %> <%= commands[:command_list].join(', ') %>
<% end -%>
<% @custom_commands_groups.each do |commands| -%>
# Privileges for specific command <%= commands[:command_list].join(', ') %> for group <%= commands[:group] %>
%<%= commands[:group] %> ALL = <%= "NOPASSWD:" if commands[:passwordless] %> <%= commands[:command_list].join(', ') %>
<% end -%>
<% @command_aliases.each do |a| -%>
Cmnd_Alias <%= a[:name].upcase %> = <%= a[:command_list].join(', ') %>
<% end -%>

10
cookbooks/sudo/templates/mac_os_x/sudoers.erb
View File

@@ -15,6 +15,16 @@ root ALL=(ALL) ALL
<%= user %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless %><%= "SETENV:" if @setenv %>ALL
<% end -%>
<% @custom_commands_users.each do |commands| -%>
# Privileges for specific command <%= commands[:command_list].join(', ') %> for user <%= commands[:user] %>
<%= commands[:user] %> ALL = <%= "NOPASSWD:" if commands[:passwordless] %> <%= commands[:command_list].join(', ') %>
<% end -%>
<% @custom_commands_groups.each do |commands| -%>
# Privileges for specific command <%= commands[:command_list].join(', ') %> for group <%= commands[:group] %>
%<%= commands[:group] %> ALL = <%= "NOPASSWD:" if commands[:passwordless] %> <%= commands[:command_list].join(', ') %>
<% end -%>
<% @sudoers_groups.each do |group| -%>
# Members of the group '<%= group %>' may gain root privileges
%<%= group %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless %><%= "SETENV:" if @setenv %>ALL