lsr-sudo/templates/sudoers.j2 at f1b7c57c239cd75dc87f20fe0ac4ea7569fcd34f · martinpitt/lsr-sudo · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
{%- macro render_aliases(alias_desc,alias_str,alias_dict,alias_subdict_name) %}
{% if item.aliases[alias_dict] is defined %}

## {{ alias_desc }}
{%   for alias_item in item.aliases[alias_dict] %}
{{ alias_str }}    {{ alias_item.name }} = {{ alias_item[alias_subdict_name] | join(", ") }}
{%   endfor %}
{% else %}
{{- '' -}}
{% endif %}
{%- endmacro -%}
{%- macro render_override_spec(spec,spec_type, spec_dict, sign) %}
{% if spec.type == spec_type %}
Defaults{{ sign }} {{ spec[spec_dict] | join(", ") }} {{ spec.defaults | join(", ") }}
{% else %}
{{- '' -}}
{% endif %}
{%- endmacro -%}
{{ ansible_managed | default('Ansible managed') | comment }}
{{ "system_role:sudo" | comment(prefix="", postfix="") }}
{%- if item.defaults is defined %}

# Default specifications
{%   for default in item.defaults %}
{%     if default is mapping %}
{%       for name, values in default.items() %}
{%         if name == 'secure_path' %}
Defaults    {{ name }} = {{ values | join(":") }}
{%         else %}
{%           for items in values | list | slice(6) %}
{%             if items %}
{%               if loop.first %}
Defaults    {{ name }} = "{{ items | list | join(' ') }}"
{%               else %}
Defaults    {{ name }} += "{{ items | list | join(' ') }}"
{%               endif -%}
{%             endif -%}
{%           endfor %}
{%         endif %}
{%       endfor %}
{%     elif default | first == ':' %}
Defaults{{ default }}
{%     else %}
Defaults    {{ default }}
{%     endif %}
{%   endfor %}
{% endif -%}
{%- if item.aliases is defined %}

# Alias specifications
{{ render_aliases("Command Aliases", "Cmnd_Alias", "cmnd_alias", "commands") -}}
{{ render_aliases("Host Aliases", "Host_Alias", "host_alias", "hosts") -}}
{{ render_aliases("Runas Aliases", "Runas_Alias", "runas_alias", "users") -}}
{{ render_aliases("User Aliases", "User_Alias", "user_alias", "users") -}}
{% endif -%}
{%- if item.user_specifications is defined %}

# User specifications
{%   for spec in item.user_specifications %}
{%     if spec.users is defined and spec.users | length > 0
          and spec.hosts is defined and spec.hosts | length > 0
          and spec.commands is defined and spec.commands | length > 0 %}
{{ spec.users | join(", ") }} {{ spec.hosts | join(", ") }}=
{%- if spec.operators is defined and spec.operators | length > 0 -%}
({{ spec.operators | join(", ") }})
{%- endif -%}
{%- if spec.selinux_type is defined and spec.selinux_type | length > 0 -%}
 TYPE={{ spec.selinux_type | join(", ") }}
{%- endif -%}
{%- if spec.selinux_role is defined and spec.selinux_role | length > 0 -%}
 ROLE={{ spec.selinux_role | join(", ") }}
{%- endif -%}
{%- if spec.solaris_privs is defined and spec.solaris_privs | length > 0 -%}
 PRIVS={{ spec.solaris_privs | join(", ") }}
{%- endif -%}
{%- if spec.solaris_limitprivs is defined and spec.solaris_limitprivs | length > 0 -%}
 LIMITPRIVS={{ spec.solaris_limitprivs | join(", ") }}
{%- endif -%}
{%- if spec.tags is defined and spec.tags | length > 0 -%}
{{ spec.tags | join(":") }}:
{%- endif -%}
{{ " " + spec.commands | join(", ") }}
{%     endif %}
{%   endfor %}
{% endif -%}
{%- if item.default_overrides is defined %}

# Default override specifications
{%   for spec in item.default_overrides %}
{{ render_override_spec(spec,"user","users",":") -}}
{{ render_override_spec(spec,"runas","operators",">") -}}
{{ render_override_spec(spec,"host","hosts","@") -}}
{{ render_override_spec(spec,"command","commands","!") -}}
{%   endfor %}
{%- endif %}
{%- if item.include_files is defined or item.include_directories is defined %}

# Includes
{%   if item.include_files is defined and item.include_files | length > 0 %}
## Include files
{%     for file in item.include_files %}
#include {{ file }}
{%     endfor %}
{%   endif %}
{%   if item.include_directories is defined and item.include_directories |
       length > 0 %}
## Include directories
{%     for dir in item.include_directories %}
#includedir {{ dir }}
{%     endfor %}
{%   endif %}
{% endif -%}