Add group support (#13)

* Add group support

* Updated tests

.travis.yml

@@ -40,3 +40,7 @@ script:
     | grep -q 'changed=0.*failed=0'
     && (echo 'Idempotence test: pass' && exit 0)
     || (echo 'Idempotence test: fail' && exit 1)
+
+  # Test files are created
+  - sudo cat /etc/sudoers.d/10group
+  - sudo cat /etc/sudoers.d/20user

README.md

@@ -30,20 +30,23 @@ one easy to use role.
 
 ## Role Variables
 
-| Variable                        | Description                                              | Default value                 |
-|---------------------------------|----------------------------------------------------------|-------------------------------|
-| `sudo_package`                  | Install sudo if not available                            | `yes`                         |
-| `sudo_list`                     | List of users and their sudo settings **(see details!)** | `[]`                          |
-| `sudo_list_host`                | List of users and their sudo settings **(see details!)** | `[]`                          |
-| `sudo_list_group`               | List of users and their sudo settings **(see details!)** | `[]`                          |
-| `sudo_default_sudoers`          | Restore default sudoers file if altered?                 | `no`                          |
-| `sudo_default_sudoers_src_path` | Path (local) to default sudoers file                     | path to included default file |
-| `sudo_defaults`                 | List of defaults **(see details!)**                      | `[]`                          |
-| `sudo_host_aliases`             | List of host aliases **(see details!)**                  | `[]`                          |
-| `sudo_user_aliases`             | List of user aliases **(see details!)**                  | `[]`                          |
-| `sudo_runas_aliases`            | List of run as aliases **(see details!)**                | `[]`                          |
-| `sudo_cmnd_aliases`             | List of command aliases **(see details!)**               | `[]`                          |
-| `sudo_sudoersd_dir`             | Sudoers.d directory                                      | '/etc/sudoers.d'              |
+| Variable                        | Description                                               | Default value                 |
+|---------------------------------|-----------------------------------------------------------|-------------------------------|
+| `sudo_package`                  | Install sudo if not available                             | `yes`                         |
+| `sudo_list`                     | List of users and their sudo settings **(see details!)**  | `[]`                          |
+| `sudo_list_host`                | List of users and their sudo settings **(see details!)**  | `[]`                          |
+| `sudo_list_group`               | List of users and their sudo settings **(see details!)**  | `[]`                          |
+| `sudo_grouplist`                | List of groups and their sudo settings **(see details!)** | `[]`                          |
+| `sudo_grouplist_host`           | List of groups and their sudo settings **(see details!)** | `[]`                          |
+| `sudo_grouplist_group`          | List of groups and their sudo settings **(see details!)** | `[]`                          |
+| `sudo_default_sudoers`          | Restore default sudoers file if altered?                  | `no`                          |
+| `sudo_default_sudoers_src_path` | Path (local) to default sudoers file                      | path to included default file |
+| `sudo_defaults`                 | List of defaults **(see details!)**                       | `[]`                          |
+| `sudo_host_aliases`             | List of host aliases **(see details!)**                   | `[]`                          |
+| `sudo_user_aliases`             | List of user aliases **(see details!)**                   | `[]`                          |
+| `sudo_runas_aliases`            | List of run as aliases **(see details!)**                 | `[]`                          |
+| `sudo_cmnd_aliases`             | List of command aliases **(see details!)**                | `[]`                          |
+| `sudo_sudoersd_dir`             | Sudoers.d directory                                       | '/etc/sudoers.d'              |
 
 #### `sudo_defaults` details
 
@@ -80,10 +83,11 @@ sudo_defaults:
 
 `sudo_list`, `sudo_list_host` and `sudo_list_group` are merged when managing
 the sudo settings. You can use the host and group lists to specify users
-settings per host or group off hosts.
+settings per host or group off hosts. The `sudo_grouplist` variables work the
+same way, but for group based sudo settings (name will be prepended with `%`).
 
-The sudo list allows you to define which users sudo settings must be managed.
-Each item in the list can have following attributes:
+The sudo lists allows you to define which users/groups sudo settings must be
+managed. Each item in the list can have following attributes:
 
 | Variable      | Description       | Required | Default |
 |---------------|-------------------|----------|---------|
@@ -101,7 +105,7 @@ Each item in the list can have following attributes:
 | `nologoutput` | NOLOG_OUTPUT flag | no       | `no`    |
 | `logoutput`   | LOG_OUTPUT flag   | no       | `no`    |
 
-You can provide these attributes in a list if a user needs multiple entries.
+You can provide these attributes in a list if a user/group needs multiple entries.
 
 ###### Example `sudo_list`
 
@@ -113,12 +117,6 @@ sudo_list:
       as: ALL:ALL
       commands: ALL
   - name: user1
-  - name: user2
-    sudo:
-      hosts: ALL
-      as: ALL
-      commands: ALL
-      nopasswd: yes
   - name: user3
     sudo:
       - hosts: ALL
@@ -129,6 +127,14 @@ sudo_list:
         as: ALL
         commands: /usr/sbin/less
         noexec: yes
+
+sudo_grouplist:
+  - name: group1
+    sudo:
+      hosts: ALL
+      as: ALL
+      commands: ALL
+      nopasswd: yes
 ```
 
 #### `sudo_***_aliases` details
@@ -144,11 +150,15 @@ list has a name and an alias.
 ###### Example `sudo_***_aliases`
 
 ```yaml
-sudo_***_aliases:
-  - name: EXAMPLE1
-    alias: 'shutdown'
+sudo_cmnd_aliases:
+  - name: POWER
+    alias: 'shutdown, reboot'
+  - name: APT
+    alias: 'apt-get'
+
+sudo_user_aliases:
   - name: EXPAMPLE2
-    alias: 'test, test1, test2'
+    alias: 'user1, user2, user3'
 ```
 
 ## Dependencies
@@ -160,7 +170,8 @@ sudo_***_aliases:
 ---
 - hosts: servers
   roles:
-  - { role: GROG.sudo, become: yes }
+  - role: GROG.sudo
+    become: yes
 ```
 
 Inside `group_vars/servers.yml`:

defaults/main.yml

@@ -11,6 +11,15 @@ sudo_list_host: []
 # list of sudo users
 sudo_list_group: []
 
+# list of sudo groups
+sudo_grouplist: []
+
+# list of sudo groups
+sudo_grouplist_host: []
+
+# list of sudo groups
+sudo_grouplist_group: []
+
 # Restore default sudoers file?
 sudo_default_sudoers: no
 

tasks/main.yml

@@ -52,6 +52,20 @@
           (sudo_runas_aliases|length > 0) or
           (sudo_cmnd_aliases|length > 0) )
 
+- name: Apply sudoers group configuration
+  template:
+    src: 'etc-sudoers.d-group_template.j2'
+    dest: "{{ sudo_sudoersd_dir }}/10{{ item.name }}"
+    owner: root
+    group: root
+    mode: 0440
+    validate: visudo -cf %s
+  when: item.sudo is defined
+  with_flattened:
+    - "{{ sudo_grouplist }}"
+    - "{{ sudo_grouplist_group }}"
+    - "{{ sudo_grouplist_host }}"
+
 - name: Apply sudoers user configuration
   template:
     src: 'etc-sudoers.d-user_template.j2'

templates/etc-sudoers.d-group_template.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+# Group privilege specification
+{% if item.sudo.hosts is defined %}
+%{{ item.name }} {{ item.sudo.hosts }}=({{ item.sudo.as }}){{ " NOPASSWD:" if ( item.sudo.nopasswd | default(false) ) else "" }}{{ "PASSWD:" if ( item.sudo.passwd | default(false) ) else "" }}{{ "NOEXEC:" if ( item.sudo.noexec | default(false) ) else "" }}{{ "EXEC:" if ( item.sudo.exec | default(false) ) else "" }}{{ "NOSETENV:" if ( item.sudo.nosetenv | default(false) ) else "" }}{{ "SETENV:" if ( item.sudo.setenv | default(false) ) else "" }}{{ "NOLOG_INPUT:" if ( item.sudo.nologinput | default(false) ) else "" }}{{ "LOG_INPUT:" if ( item.sudo.loginput | default(false) ) else "" }}{{ "NOLOG_OUTPUT:" if ( item.sudo.nologoutput | default(false) ) else "" }}{{ "LOG_OUTPUT:" if ( item.sudo.logoutput | default(false) ) else "" }} {{ item.sudo.commands }}
+{% else %}
+{% for entry in item.sudo %}
+%{{ item.name }} {{ entry.hosts }}=({{ entry.as }}){{ " NOPASSWD:" if ( entry.nopasswd | default(false) ) else "" }}{{ "PASSWD:" if ( entry.passwd | default(false) ) else "" }}{{ "NOEXEC:" if ( entry.noexec | default(false) ) else "" }}{{ "EXEC:" if ( entry.exec | default(false) ) else "" }}{{ "NOSETENV:" if ( entry.nosetenv | default(false) ) else "" }}{{ "SETENV:" if ( entry.setenv | default(false) ) else "" }}{{ "NOLOG_INPUT:" if ( entry.nologinput | default(false) ) else "" }}{{ "LOG_INPUT:" if ( entry.loginput | default(false) ) else "" }}{{ "NOLOG_OUTPUT:" if ( entry.nologoutput | default(false) ) else "" }}{{ "LOG_OUTPUT:" if ( entry.logoutput | default(false) ) else "" }} {{ entry.commands }}
+{% endfor %}
+{% endif %}

tests/test.yml

@@ -4,7 +4,13 @@
   roles:
     - role: ansible-role-sudo
       sudo_list:
-        - name: test
+        - name: user
+          sudo:
+            hosts: ALL
+            as: ALL
+            commands: ALL
+      sudo_grouplist:
+        - name: group
           sudo:
             hosts: ALL
             as: ALL