From 3dd512f5f2b264246f719cd695f01718b5c6212f Mon Sep 17 00:00:00 2001
From: Stefan Joosten <stefan@atcomputing.nl>
Date: Tue, 23 Jan 2024 14:50:47 +0100
Subject: [PATCH] Allow Runas specification to be optional

The Runas_Spec is an optional statement in sudo configuration [1]:

> If no Runas_Spec is specified, the command may only be run as the
> runas_default user (root by default) and the group, if specified,
> must be one that the runas_default user is a member of.

This commit allows omitting the 'as:' in the role's 'sudo_list*[].sudo'
list mappings.

[1]: https://www.sudo.ws/docs/man/1.9.15/sudoers.man/#Runas_Spec
---
 README.md                                 | 4 +++-
 templates/etc-sudoers.d-group_template.j2 | 4 ++--
 templates/etc-sudoers.d-user_template.j2  | 4 ++--
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index fa69cd0..8ce4a54 100644
--- a/README.md
+++ b/README.md
@@ -117,7 +117,7 @@ attributes for each list entry;
 | Variable      | Description       | Required | Default |
 |---------------|-------------------|----------|---------|
 | `hosts`       | Hosts             | yes      | /       |
-| `as`          | Operators         | yes      | /       |
+| `as`          | Operators         | no       | /       |
 | `commands`    | Commands          | yes      | /       |
 | `nopasswd`    | NOPASSWD flag     | no       | `no`    |
 | `passwd`      | PASSWD flag       | no       | `no`    |
@@ -145,6 +145,8 @@ sudo_list:
       - hosts: ALL
         as: root
         commands: /usr/sbin/poweroff
+      - hosts: ALL
+        commands: /usr/sbin/reboot
         nopasswd: yes
       - hosts: ALL
         as: ALL
diff --git a/templates/etc-sudoers.d-group_template.j2 b/templates/etc-sudoers.d-group_template.j2
index 3bcbdb2..6b0ed0c 100644
--- a/templates/etc-sudoers.d-group_template.j2
+++ b/templates/etc-sudoers.d-group_template.j2
@@ -2,9 +2,9 @@
 
 # Group privilege specification
 {% if item.sudo.hosts is defined %}
-%{{ item.name }} {{ item.sudo.hosts }}=({{ item.sudo.as }}){{ " NOPASSWD:" if ( item.sudo.nopasswd | default(false) ) else "" }}{{ "PASSWD:" if ( item.sudo.passwd | default(false) ) else "" }}{{ "NOEXEC:" if ( item.sudo.noexec | default(false) ) else "" }}{{ "EXEC:" if ( item.sudo.exec | default(false) ) else "" }}{{ "NOSETENV:" if ( item.sudo.nosetenv | default(false) ) else "" }}{{ "SETENV:" if ( item.sudo.setenv | default(false) ) else "" }}{{ "NOLOG_INPUT:" if ( item.sudo.nologinput | default(false) ) else "" }}{{ "LOG_INPUT:" if ( item.sudo.loginput | default(false) ) else "" }}{{ "NOLOG_OUTPUT:" if ( item.sudo.nologoutput | default(false) ) else "" }}{{ "LOG_OUTPUT:" if ( item.sudo.logoutput | default(false) ) else "" }} {{ item.sudo.commands }}
+%{{ item.name }} {{ item.sudo.hosts }}={% if item.sudo.as is defined %}({{ item.sudo.as }}){% endif %}{{ " NOPASSWD:" if ( item.sudo.nopasswd | default(false) ) else "" }}{{ "PASSWD:" if ( item.sudo.passwd | default(false) ) else "" }}{{ "NOEXEC:" if ( item.sudo.noexec | default(false) ) else "" }}{{ "EXEC:" if ( item.sudo.exec | default(false) ) else "" }}{{ "NOSETENV:" if ( item.sudo.nosetenv | default(false) ) else "" }}{{ "SETENV:" if ( item.sudo.setenv | default(false) ) else "" }}{{ "NOLOG_INPUT:" if ( item.sudo.nologinput | default(false) ) else "" }}{{ "LOG_INPUT:" if ( item.sudo.loginput | default(false) ) else "" }}{{ "NOLOG_OUTPUT:" if ( item.sudo.nologoutput | default(false) ) else "" }}{{ "LOG_OUTPUT:" if ( item.sudo.logoutput | default(false) ) else "" }} {{ item.sudo.commands }}
 {% else %}
 {% for entry in item.sudo %}
-%{{ item.name }} {{ entry.hosts }}=({{ entry.as }}){{ " NOPASSWD:" if ( entry.nopasswd | default(false) ) else "" }}{{ "PASSWD:" if ( entry.passwd | default(false) ) else "" }}{{ "NOEXEC:" if ( entry.noexec | default(false) ) else "" }}{{ "EXEC:" if ( entry.exec | default(false) ) else "" }}{{ "NOSETENV:" if ( entry.nosetenv | default(false) ) else "" }}{{ "SETENV:" if ( entry.setenv | default(false) ) else "" }}{{ "NOLOG_INPUT:" if ( entry.nologinput | default(false) ) else "" }}{{ "LOG_INPUT:" if ( entry.loginput | default(false) ) else "" }}{{ "NOLOG_OUTPUT:" if ( entry.nologoutput | default(false) ) else "" }}{{ "LOG_OUTPUT:" if ( entry.logoutput | default(false) ) else "" }} {{ entry.commands }}
+%{{ item.name }} {{ entry.hosts }}={% if entry.as is defined %}({{ entry.as }}){% endif %}{{ " NOPASSWD:" if ( entry.nopasswd | default(false) ) else "" }}{{ "PASSWD:" if ( entry.passwd | default(false) ) else "" }}{{ "NOEXEC:" if ( entry.noexec | default(false) ) else "" }}{{ "EXEC:" if ( entry.exec | default(false) ) else "" }}{{ "NOSETENV:" if ( entry.nosetenv | default(false) ) else "" }}{{ "SETENV:" if ( entry.setenv | default(false) ) else "" }}{{ "NOLOG_INPUT:" if ( entry.nologinput | default(false) ) else "" }}{{ "LOG_INPUT:" if ( entry.loginput | default(false) ) else "" }}{{ "NOLOG_OUTPUT:" if ( entry.nologoutput | default(false) ) else "" }}{{ "LOG_OUTPUT:" if ( entry.logoutput | default(false) ) else "" }} {{ entry.commands }}
 {% endfor %}
 {% endif %}
diff --git a/templates/etc-sudoers.d-user_template.j2 b/templates/etc-sudoers.d-user_template.j2
index 7f2b5f9..39e6973 100644
--- a/templates/etc-sudoers.d-user_template.j2
+++ b/templates/etc-sudoers.d-user_template.j2
@@ -2,9 +2,9 @@
 
 # User privilege specification
 {% if item.sudo.hosts is defined %}
-{{ item.name }} {{ item.sudo.hosts }}=({{ item.sudo.as }}){{ " NOPASSWD:" if ( item.sudo.nopasswd | default(false) ) else "" }}{{ "PASSWD:" if ( item.sudo.passwd | default(false) ) else "" }}{{ "NOEXEC:" if ( item.sudo.noexec | default(false) ) else "" }}{{ "EXEC:" if ( item.sudo.exec | default(false) ) else "" }}{{ "NOSETENV:" if ( item.sudo.nosetenv | default(false) ) else "" }}{{ "SETENV:" if ( item.sudo.setenv | default(false) ) else "" }}{{ "NOLOG_INPUT:" if ( item.sudo.nologinput | default(false) ) else "" }}{{ "LOG_INPUT:" if ( item.sudo.loginput | default(false) ) else "" }}{{ "NOLOG_OUTPUT:" if ( item.sudo.nologoutput | default(false) ) else "" }}{{ "LOG_OUTPUT:" if ( item.sudo.logoutput | default(false) ) else "" }} {{ item.sudo.commands }}
+{{ item.name }} {{ item.sudo.hosts }}={% if item.sudo.as is defined %}({{ item.sudo.as }}){% endif %}{{ " NOPASSWD:" if ( item.sudo.nopasswd | default(false) ) else "" }}{{ "PASSWD:" if ( item.sudo.passwd | default(false) ) else "" }}{{ "NOEXEC:" if ( item.sudo.noexec | default(false) ) else "" }}{{ "EXEC:" if ( item.sudo.exec | default(false) ) else "" }}{{ "NOSETENV:" if ( item.sudo.nosetenv | default(false) ) else "" }}{{ "SETENV:" if ( item.sudo.setenv | default(false) ) else "" }}{{ "NOLOG_INPUT:" if ( item.sudo.nologinput | default(false) ) else "" }}{{ "LOG_INPUT:" if ( item.sudo.loginput | default(false) ) else "" }}{{ "NOLOG_OUTPUT:" if ( item.sudo.nologoutput | default(false) ) else "" }}{{ "LOG_OUTPUT:" if ( item.sudo.logoutput | default(false) ) else "" }} {{ item.sudo.commands }}
 {% else %}
 {% for entry in item.sudo %}
-{{ item.name }} {{ entry.hosts }}=({{ entry.as }}){{ " NOPASSWD:" if ( entry.nopasswd | default(false) ) else "" }}{{ "PASSWD:" if ( entry.passwd | default(false) ) else "" }}{{ "NOEXEC:" if ( entry.noexec | default(false) ) else "" }}{{ "EXEC:" if ( entry.exec | default(false) ) else "" }}{{ "NOSETENV:" if ( entry.nosetenv | default(false) ) else "" }}{{ "SETENV:" if ( entry.setenv | default(false) ) else "" }}{{ "NOLOG_INPUT:" if ( entry.nologinput | default(false) ) else "" }}{{ "LOG_INPUT:" if ( entry.loginput | default(false) ) else "" }}{{ "NOLOG_OUTPUT:" if ( entry.nologoutput | default(false) ) else "" }}{{ "LOG_OUTPUT:" if ( entry.logoutput | default(false) ) else "" }} {{ entry.commands }}
+{{ item.name }} {{ entry.hosts }}={% if entry.as is defined %}({{ entry.as }}){% endif %}{{ " NOPASSWD:" if ( entry.nopasswd | default(false) ) else "" }}{{ "PASSWD:" if ( entry.passwd | default(false) ) else "" }}{{ "NOEXEC:" if ( entry.noexec | default(false) ) else "" }}{{ "EXEC:" if ( entry.exec | default(false) ) else "" }}{{ "NOSETENV:" if ( entry.nosetenv | default(false) ) else "" }}{{ "SETENV:" if ( entry.setenv | default(false) ) else "" }}{{ "NOLOG_INPUT:" if ( entry.nologinput | default(false) ) else "" }}{{ "LOG_INPUT:" if ( entry.loginput | default(false) ) else "" }}{{ "NOLOG_OUTPUT:" if ( entry.nologoutput | default(false) ) else "" }}{{ "LOG_OUTPUT:" if ( entry.logoutput | default(false) ) else "" }} {{ entry.commands }}
 {% endfor %}
 {% endif %}