From e84ea3c3bc7ae11469d71679512699d865bc5690 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Mon, 20 May 2024 12:31:35 +0200 Subject: [PATCH] Add larger test which uses more attributes Signed-off-by: Radovan Sroka --- examples/multiple_sudoers_configuration.yml | 2 +- tasks/main.yml | 2 +- .../tests_large_configuration_pingers.ok | 11 + tests/files/tests_large_configuration_root.ok | 10 + ...k => tests_large_configuration_sudoers.ok} | 17 ++ tests/files/tests_multiple_sudoers_sudoers.ok | 2 +- tests/tests_large_configuration.yml | 230 ++++++++++++++++++ tests/tests_multiple_sudoers.yml | 2 +- 8 files changed, 272 insertions(+), 4 deletions(-) create mode 100644 tests/files/tests_large_configuration_pingers.ok create mode 100644 tests/files/tests_large_configuration_root.ok rename tests/files/{tests_multiple_sudoers.ok => tests_large_configuration_sudoers.ok} (65%) create mode 100644 tests/tests_large_configuration.yml diff --git a/examples/multiple_sudoers_configuration.yml b/examples/multiple_sudoers_configuration.yml index 4132a0b..54a6b1b 100644 --- a/examples/multiple_sudoers_configuration.yml +++ b/examples/multiple_sudoers_configuration.yml @@ -75,7 +75,7 @@ cmnd_alias: - name: PING commands: - - /bin/ping + - /usr/bin/ping user_alias: - name: PINGERS users: diff --git a/tasks/main.yml b/tasks/main.yml index 95904aa..2453457 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -42,7 +42,7 @@ - name: Ensure /etc/sudoers is configured template: src: sudoers.j2 - dest: "{{ item.path }}" + dest: "{{ item.path }}" owner: root group: root mode: 0440 diff --git a/tests/files/tests_large_configuration_pingers.ok b/tests/files/tests_large_configuration_pingers.ok new file mode 100644 index 0000000..6361ad9 --- /dev/null +++ b/tests/files/tests_large_configuration_pingers.ok @@ -0,0 +1,11 @@ +# +# Ansible managed +# +# system_role:sudo + + +# Default override specifications +Defaults: PINGERS !requiretty +Defaults> root !set_logname +Defaults@ host1, host2 !requiretty, !requiretty +Defaults! /usr/bin/ls !requiretty diff --git a/tests/files/tests_large_configuration_root.ok b/tests/files/tests_large_configuration_root.ok new file mode 100644 index 0000000..f3da320 --- /dev/null +++ b/tests/files/tests_large_configuration_root.ok @@ -0,0 +1,10 @@ +# +# Ansible managed +# +# system_role:sudo + +# Default specifications +Defaults syslog=auth + +# Default override specifications +Defaults> root !set_logname diff --git a/tests/files/tests_multiple_sudoers.ok b/tests/files/tests_large_configuration_sudoers.ok similarity index 65% rename from tests/files/tests_multiple_sudoers.ok rename to tests/files/tests_large_configuration_sudoers.ok index 3e29e25..c0805f9 100644 --- a/tests/files/tests_multiple_sudoers.ok +++ b/tests/files/tests_large_configuration_sudoers.ok @@ -1,6 +1,7 @@ # # Ansible managed # +# system_role:sudo # Default specifications Defaults !visiblepw @@ -16,10 +17,26 @@ Defaults env_keep += "LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETAR Defaults env_keep += "LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL" Defaults env_keep += "LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" +# Alias specifications +## Command Aliases +Cmnd_Alias PING = /usr/bin/ping +## Host Aliases +Host_Alias HOST = myhost +## Runas Aliases +Runas_Alias RUNAS = username +## User Aliases +User_Alias PINGERS = username + # User specifications root ALL=(ALL) ALL %wheel ALL=(ALL) ALL +# Default override specifications +Defaults: PINGERS !requiretty +Defaults> root !set_logname +Defaults@ host1, host2 !requiretty, !requiretty +Defaults! /usr/bin/cd !requiretty + # Includes ## Include directories #includedir /etc/sudoers.d diff --git a/tests/files/tests_multiple_sudoers_sudoers.ok b/tests/files/tests_multiple_sudoers_sudoers.ok index 71076a5..d75c7a2 100644 --- a/tests/files/tests_multiple_sudoers_sudoers.ok +++ b/tests/files/tests_multiple_sudoers_sudoers.ok @@ -19,7 +19,7 @@ Defaults env_keep += "LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" # Alias specifications ## Command Aliases -Cmnd_Alias PING = /bin/ping +Cmnd_Alias PING = /usr/bin/ping diff --git a/tests/tests_large_configuration.yml b/tests/tests_large_configuration.yml new file mode 100644 index 0000000..bfe2d40 --- /dev/null +++ b/tests/tests_large_configuration.yml @@ -0,0 +1,230 @@ +--- +- name: Basic test for Sudo + hosts: all + tasks: + - name: Run tests + block: + - name: Run the role + include_role: + name: linux-system-roles.sudo + vars: + sudo_rewrite_default_sudoers_file: true + sudo_remove_unauthorized_included_files: true + sudo_sudoers_files: + - path: /etc/sudoers + defaults: + - "!visiblepw" + - always_set_home + - match_group_by_gid + - always_query_group_plugin + - env_reset + - secure_path: + - /sbin + - /bin + - /usr/sbin + - /usr/bin + - env_keep: + - COLORS + - DISPLAY + - HOSTNAME + - HISTSIZE + - KDEDIR + - LS_COLORS + - MAIL + - PS1 + - PS2 + - QTDIR + - USERNAME + - LANG + - LC_ADDRESS + - LC_CTYPE + - LC_COLLATE + - LC_IDENTIFICATION + - LC_MEASUREMENT + - LC_MESSAGES + - LC_MONETARY + - LC_NAME + - LC_NUMERIC + - LC_PAPER + - LC_TELEPHONE + - LC_TIME + - LC_ALL + - LANGUAGE + - LINGUAS + - _XKB_CHARSET + - XAUTHORITY + user_specifications: + - users: + - root + hosts: + - ALL + operators: + - ALL + commands: + - ALL + - users: + - "%wheel" + hosts: + - ALL + operators: + - ALL + commands: + - ALL + - type: user + defaults: + - "!requiretty" + users: + - PINGERS + - type: runas + defaults: + - "!set_logname" + operators: + - root + - type: host + defaults: + - "!requiretty" + - "!set_logname" + hosts: + - host1 + - host2 + - type: command + defaults: + - "!requiretty" + commands: + - /usr/bin/cd + include_directories: + - /etc/sudoers.d + aliases: + cmnd_alias: + - name: PING + commands: + - /usr/bin/ping + host_alias: + - name: HOST + hosts: + - myhost + user_alias: + - name: PINGERS + users: + - username + runas_alias: + - name: RUNAS + users: + - username + - path: /etc/sudoers.d/pingers + user_specifications: + - type: user + defaults: + - "!requiretty" + users: + - PINGERS + - type: runas + defaults: + - "!set_logname" + operators: + - root + - type: host + defaults: + - "!requiretty" + - "!requiretty" + hosts: + - host1 + - host2 + - type: command + defaults: + - "!requiretty" + commands: + - /usr/bin/ls + - path: /etc/sudoers.d/root + defaults: + - syslog=auth + user_specifications: + - type: runas + defaults: + - "!set_logname" + operators: + - root + + - name: Create temp test directory + tempfile: + path: /var/tmp + prefix: sudo_ + state: directory + register: __sudo_tmpdir + + - name: Backup sudoers + copy: + src: /etc/sudoers + dest: "{{ __sudo_tmpdir.path }}/sudoers" + owner: root + group: root + mode: 0644 + remote_src: true + + - name: Backup sudoers.d + copy: + src: /etc/sudoers.d + dest: "{{ __sudo_tmpdir.path }}/sudoers.d" + owner: root + group: root + mode: 0644 + remote_src: true + + - name: Get stat of tests/files/test_large_configuration_sudoers.ok + delegate_to: localhost + stat: + path: files/test_large_configuration_sudoers.ok + checksum_algorithm: sha256 + register: sudoers_ok + + # sha256sum ./files/test_large_configuration_sudoers.ok + - name: Check sudoers + command: >- + echo "{{ sudoers.ok.stat.checksum }} /etc/sudoers" | sha256sum --check + + - name: Get stat of tests/files/test_large_configuration_pingers.ok + delegate_to: localhost + stat: + path: files/test_large_configuration_pingers.ok + checksum_algorithm: sha256 + register: pingers_ok + + # sha256sum ./files/test_large_configuration_pingers.ok + - name: Check pingers + command: >- + echo "{{ pingers.ok.stat.checksum }} /etc/sudoers.d/pingers" | sha256sum --check + + - name: Get stat of tests/files/test_large_configuration_root.ok + delegate_to: localhost + stat: + path: files/test_large_configuration_root.ok + checksum_algorithm: sha256 + register: root_ok + + # sha256sum ./files/test_large_configuration_root.ok + - name: Check root + command: >- + echo "{{ sudoers.ok.stat.checksum }} /etc/sudoers.d/root" | sha256sum --check + + - name: Restore sudoers + copy: + src: "{{ __sudo_tmpdir.path }}/sudoers" + dest: /etc/sudoers + owner: root + group: root + mode: 0644 + remote_src: true + + - name: Restore sudoers.d + copy: + src: "{{ __sudo_tmpdir.path }}/sudoers.d" + dest: /etc/sudoers.d + owner: root + group: root + mode: 0644 + remote_src: true + + - name: Clean up temp directory + file: + path: "{{ __sudo_tmpdir.path }}" + state: absent diff --git a/tests/tests_multiple_sudoers.yml b/tests/tests_multiple_sudoers.yml index 33bea1e..d4e9cd2 100644 --- a/tests/tests_multiple_sudoers.yml +++ b/tests/tests_multiple_sudoers.yml @@ -76,7 +76,7 @@ cmnd_alias: - name: PING commands: - - /bin/ping + - /usr/bin/ping user_alias: - name: PINGERS users: