166 lines
5.4 KiB
Ruby
166 lines
5.4 KiB
Ruby
#
|
|
# Author:: Bryan W. Berry (<bryan.berry@gmail.com>)
|
|
# Author:: Seth Vargo (<sethvargo@gmail.com>)
|
|
# Cookbook:: sudo
|
|
# Provider:: default
|
|
#
|
|
# Copyright:: 2011-2016, Bryan w. Berry
|
|
# Copyright:: 2012-2016, Seth Vargo
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
|
|
use_inline_resources
|
|
|
|
# This LWRP supports whyrun mode
|
|
def whyrun_supported?
|
|
true
|
|
end
|
|
|
|
# Ensure that the inputs are valid (we cannot just use the resource for this)
|
|
def check_inputs(user, group, foreign_template, _foreign_vars)
|
|
# if group, user, and template are nil, throw an exception
|
|
if user.nil? && group.nil? && foreign_template.nil?
|
|
raise 'You must provide a user, group, or template!'
|
|
elsif !user.nil? && !group.nil? && !template.nil?
|
|
raise 'You cannot specify user, group, and template!'
|
|
end
|
|
end
|
|
|
|
# Validate the given resource (template) by writing it out to a file and then
|
|
# ensuring that file's contents pass `visudo -c`
|
|
def validate_fragment!(resource)
|
|
file = Tempfile.new('sudoer')
|
|
|
|
begin
|
|
file.write(capture(resource))
|
|
file.rewind
|
|
|
|
cmd = Mixlib::ShellOut.new("visudo -cf #{file.path}").run_command
|
|
unless cmd.exitstatus == 0
|
|
Chef::Log.error("Fragment validation failed: \n\n")
|
|
Chef::Log.error(file.read)
|
|
Chef::Application.fatal!("Template #{file.path} failed fragment validation!")
|
|
end
|
|
ensure
|
|
file.close
|
|
file.unlink
|
|
end
|
|
end
|
|
|
|
# Render a single sudoer template. This method has two modes:
|
|
# 1. using the :template option - the user can specify a template
|
|
# that exists in the local cookbook for writing out the attributes
|
|
# 2. using the built-in template (recommended) - simply pass the
|
|
# desired variables to the method and the correct template will be
|
|
# written out for the user
|
|
def render_sudoer
|
|
if new_resource.template
|
|
Chef::Log.debug('Template attribute provided, all other attributes ignored.')
|
|
|
|
resource = template "#{node['authorization']['sudo']['prefix']}/sudoers.d/#{sudo_filename}" do
|
|
source new_resource.template
|
|
owner 'root'
|
|
group node['root_group']
|
|
mode '0440'
|
|
variables new_resource.variables
|
|
action :nothing
|
|
end
|
|
else
|
|
sudoer = new_resource.user || ("%#{new_resource.group}".squeeze('%') if new_resource.group)
|
|
|
|
resource = template "#{node['authorization']['sudo']['prefix']}/sudoers.d/#{sudo_filename}" do
|
|
source 'sudoer.erb'
|
|
cookbook 'sudo'
|
|
owner 'root'
|
|
group node['root_group']
|
|
mode '0440'
|
|
variables sudoer: sudoer,
|
|
host: new_resource.host,
|
|
runas: new_resource.runas,
|
|
nopasswd: new_resource.nopasswd,
|
|
noexec: new_resource.noexec,
|
|
commands: new_resource.commands,
|
|
command_aliases: new_resource.command_aliases,
|
|
defaults: new_resource.defaults,
|
|
setenv: new_resource.setenv,
|
|
env_keep_add: new_resource.env_keep_add,
|
|
env_keep_subtract: new_resource.env_keep_subtract
|
|
action :nothing
|
|
end
|
|
end
|
|
|
|
# Ensure that, adding this sudoer, would not break sudo
|
|
validate_fragment!(resource)
|
|
|
|
resource.run_action(:create)
|
|
|
|
# Return whether the resource was updated so we can notify in the action
|
|
resource.updated_by_last_action?
|
|
end
|
|
|
|
# Default action - install a single sudoer
|
|
action :install do
|
|
target = "#{node['authorization']['sudo']['prefix']}/sudoers.d/"
|
|
|
|
package 'sudo' do
|
|
not_if 'which sudo'
|
|
end
|
|
|
|
unless ::File.exist?(target)
|
|
sudoers_dir = directory target
|
|
sudoers_dir.run_action(:create)
|
|
end
|
|
|
|
Chef::Log.warn("#{sudo_filename} will be rendered, but will not take effect because node['authorization']['sudo']['include_sudoers_d'] is set to false!") unless node['authorization']['sudo']['include_sudoers_d']
|
|
new_resource.updated_by_last_action(true) if render_sudoer
|
|
end
|
|
|
|
# Removes a user from the sudoers group
|
|
action :remove do
|
|
resource = file "#{node['authorization']['sudo']['prefix']}/sudoers.d/#{sudo_filename}" do
|
|
action :nothing
|
|
end
|
|
resource.run_action(:delete)
|
|
new_resource.updated_by_last_action(true) if resource.updated_by_last_action?
|
|
end
|
|
|
|
private
|
|
|
|
# acording to the sudo man pages sudo will ignore files in an include dir that have a `.` or `~`
|
|
# We convert either to `__`
|
|
def sudo_filename
|
|
new_resource.name.gsub(/[\.~]/, '__')
|
|
end
|
|
|
|
# Capture a template to a string
|
|
def capture(template)
|
|
context = {}
|
|
context.merge!(template.variables)
|
|
context[:node] = node
|
|
|
|
eruby = Erubis::Eruby.new(::File.read(template_location(template)))
|
|
eruby.evaluate(context)
|
|
end
|
|
|
|
# Find the template
|
|
def template_location(template)
|
|
if template.local
|
|
template.source
|
|
else
|
|
context = template.instance_variable_get('@run_context')
|
|
cookbook = context.cookbook_collection[template.cookbook || template.cookbook_name]
|
|
cookbook.preferred_filename_on_disk_location(node, :templates, template.source)
|
|
end
|
|
end
|