commit 17c935af1d507d1526448188d5ed58d4034a4719 Author: Eric Renfro Date: Wed May 13 00:08:15 2015 -0400 Initial release 0.1.0 diff --git a/Berksfile b/Berksfile new file mode 100644 index 0000000..40e1882 --- /dev/null +++ b/Berksfile @@ -0,0 +1,6 @@ +source "https://supermarket.chef.io" + +metadata + +cookbook 'sudo', ">= 2.7.1" + diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..309543c --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,13 @@ +sudo_rules CHANGELOG +==================== + +This file is used to list changes made in each version of the sudo_rules cookbook. + +0.1.0 +----- +- [erenfro] - Initial release of test + +- - - +Check the [Markdown Syntax Guide](http://daringfireball.net/projects/markdown/syntax) for help with Markdown. + +The [Github Flavored Markdown page](http://github.github.com/github-flavored-markdown/) describes the differences between markdown on github and standard markdown. diff --git a/README.md b/README.md new file mode 100644 index 0000000..2c9f4d5 --- /dev/null +++ b/README.md @@ -0,0 +1,95 @@ +sudo_rules Cookbook +=================== +Reads through a special data bag of sudo rules to compile a list of sudoers.d rules to create/remove. + +Requirements +------------ +#### packages +- sudo + +Attributes +---------- +TODO: List your cookbook attributes here. + +e.g. +#### sudo_rules::default + + + + + + + + + + + + + +
KeyTypeDescriptionDefault
['sudo_rules']['data_bag']StringName of data bag to use for entriessudo_rules
+ +Usage +----- +#### sudo_rules::default + +Include `sudo_rules` in your node's `run_list`: + +```json +{ + "name":"my_node", + "run_list": [ + "recipe[sudo_rules]" + ] +} +``` + +And provide properly formatted data bag: + +```json +{ + "id": "Data Bag unique name, default value for name below", + "name": "Name of the sudoers.d file + "hosts": [ + "fqdn1", + "fqdn2", + ... + ], + "action": "create", + "user": "someuser", + "runas": "ALL", + "commands": [ + "/usr/sbin/somecommand args", + "/usr/sbin/anothercommand", + ... + ], + "defaults": [ + "env_reset" + ] +} +``` + +Id: Required: Name of Data Bag item, and sudoers.d/Id filename. +Name: Optional: Instead of using Id, you can choose the name of the file for sudoers.d/Name instead. +Hosts: Required: List of hosts to apply this rule to by fqdn, can be wildcard matched. +Action: `create` or `remove`: Default `create` +User: Required: Username or %Groupname to use for the sudo rule. +Runas: Allowed colon-separated list of users for sudoers runas: Default `ALL` +Commands: Required: List of commands (and arguments) this rule adds for the user/group. +Defaults: List of defaults this user has. + +Contributing +------------ +TODO: (optional) If this is a public cookbook, detail the process for contributing. If this is a private cookbook, remove this section. + +e.g. +1. Fork the repository on Github +2. Create a named feature branch (like `add_component_x`) +3. Write your change +4. Write tests for your change (if applicable) +5. Run the tests, ensuring they all pass +6. Submit a Pull Request using Github + +License and Authors +------------------- +Authors: TODO: List authors + diff --git a/attributes/default.rb b/attributes/default.rb new file mode 100644 index 0000000..884b905 --- /dev/null +++ b/attributes/default.rb @@ -0,0 +1,2 @@ +default["sudo_rules"]["data_bag"] = "sudo_rules" + diff --git a/metadata.rb b/metadata.rb new file mode 100644 index 0000000..ecc4167 --- /dev/null +++ b/metadata.rb @@ -0,0 +1,10 @@ +name 'sudo_rules' +maintainer 'Linux-Help.org' +maintainer_email 'erenfro@linux-help.org' +license 'All rights reserved' +description 'Configures sudo rules from data bags using the sudo cookbook' +long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) +version '0.1.0' + +depends 'sudo', '>= 2.7.1' + diff --git a/recipes/default.rb b/recipes/default.rb new file mode 100644 index 0000000..966e950 --- /dev/null +++ b/recipes/default.rb @@ -0,0 +1,98 @@ +# +# Cookbook Name:: sudo_rules +# Recipe:: default +# +# Copyright 2015, Linux-Help.org +# +# All rights reserved - Do Not Redistribute +# + +include_recipe "sudo" + +node.override['authorization']['sudo']['include_sudoers_d'] = true +search_node = node['fqdn'] + +if Chef::Config[:solo] and nod chef_solo_search_installed? + Chef::Log.warn("This recipe uses search. Chef Solo does not support search unless you install the chef-solo-search cookbook.") +else + search(node['sudo_rules']['data_bag'], "hosts:#{search_node}").each do |rule| + # Name + if rule["name"].kind_of?(String) + rule_name = rule["name"] + else + rule_name = rule["id"] + end + + # Action Create/Remove + if rule["action"].kind_of?(String) + if rule["action"] == "create" or rule["action"] == "remove" + rule_action = rule["action"] + else + rule_action = "create" + end + else + rule_action = "create" + end + + # Username or Group + if rule['user'].kind_of?(String) + rule_user = rule['user'] + else + Chef::Log.warn("data_bag #{rule['id']} has no user entry and is required. Skipped.") + next + end + + # Pasword or NoPassword + if rule['nopasswd'].kind_of?(TrueClass) + rule_nopasswd = rule['nopasswd'] + else + rule_nopasswd = false + end + + # RunAS + if rule['runas'].kind_of?(String) + rule_runas = rule['runas'] + else + rule_runas = 'ALL' + end + + # Commands + if rule['commands'].kind_of?(Array) + rule_commands = rule['commands'] + elsif rule['rules'].kind_of?(String) + rule_commands = [ rule['commands'] ] + else + Chef::Log.warn("data_bag #{rule['id']} has no commands is required. Skipped.") + next + end + + # Defaults + if rule['defaults'].kind_of?(Array) + rule_defaults = rule['defaults'] + elsif rule['defaults'].kind_of?(String) + rule_defaults = [ rule['defaults'] ] + else + rule_defaults = [] + end + + sudo rule["id"] do + name rule_name + user rule_user + runas rule_runas + nopasswd rule_nopasswd + commands rule_commands + defaults rule_defaults + end + + #puts "ID: #{rule["id"]}" + #puts "Name: #{rule_name}" + #puts "Action: #{rule_action}" + #puts "User: #{rule_user}" + #puts "Runas: #{rule_runas}" + #puts "Nopasswd #{rule_nopasswd}" + #puts "Commands: #{rule_commands}" + #puts "Defaults: #{rule_defaults}" + #puts "--" + end +end +