From e5f2dc42f95eb507adbb28901c3a2e6df32f4042 Mon Sep 17 00:00:00 2001
From: Christian Erb <christian.erb@tobii.com>
Date: Tue, 4 Jan 2022 15:06:09 +0100
Subject: [PATCH 1/3] Added Alias configuration

User_Alias, Runas_Alias and Cmnd_Alias configuration is included.
Host_Alias is not included as it is no problem to have a host specific sudoer configuration via ansible.
---
 README.md                          | 28 ++++++++++++++++++++++++++++
 defaults/main.yml                  | 23 +++++++++++++++++++++++
 templates/etc/sudoers.d/ansible.j2 | 17 +++++++++++++++++
 tests/main.yml                     | 15 +++++++++++++++
 vars/default.yml                   |  1 +
 5 files changed, 84 insertions(+)

diff --git a/README.md b/README.md
index 583d044..d10f702 100644
--- a/README.md
+++ b/README.md
@@ -44,6 +44,17 @@ Here is a list of all the default variables for this role, which are also availa
 
 ```yaml
 ---
+# sudo_sudoers_user_aliases:
+#  WEBADMINS:
+#    - webadmin1
+#    - webadmin2
+# sudo_sudoers_cmnd_aliases:
+#  WEBCOMMANDS:
+#    - /bin/systemctl status nginx
+#    - /bin/systemctl start nginx
+#    - /bin/systemctl stop nginx
+#    - /bin/systemctl restart nginx
+#  PACKAGECOMMANDS: '/bin/apt, /bin/yum'
 # sudo_defaults:
 #  - defaults: env_reset
 #  - name: user1
@@ -89,6 +100,19 @@ This is an example playbook:
   roles:
     - weareinteractive.sudo
   vars:
+    sudo_sudoers_user_aliases:
+      WEBADMINS:
+        - webadmin1
+        - webadmin2
+    sudo_sudoers_runas_aliases:
+      WEBUSERS: 'www-data, www'
+    sudo_sudoers_cmnd_aliases:
+      WEBCOMMANDS:
+        - /bin/systemctl status nginx
+        - /bin/systemctl start nginx
+        - /bin/systemctl stop nginx
+        - /bin/systemctl restart nginx
+      PACKAGECOMMANDS: '/bin/apt, /bin/yum'
     sudo_defaults:
       - defaults: env_reset
       - defaults: secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
@@ -112,6 +136,10 @@ This is an example playbook:
       - name: '%group4'
         users: 'user1,user2'
         groups: 'group1,group2'
+      - name: WEBADMINS
+        commands: WEBCOMMANDS
+        users: WEBUSERS
+        groups: WEBUSERS
     purge_other_sudoers_files: yes
 
 ```
diff --git a/defaults/main.yml b/defaults/main.yml
index 4c91c29..68fc608 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,4 +1,17 @@
 ---
+# sudo_sudoers_user_aliases:
+#  WEBADMINS:
+#    - webadmin1
+#    - webadmin2
+# sudo_sudoers_cmnd_aliases:
+#  WEBCOMMANDS:
+#    - /bin/systemctl status nginx
+#    - /bin/systemctl start nginx
+#    - /bin/systemctl stop nginx
+#    - /bin/systemctl restart nginx
+#  PACKAGECOMMANDS: '/bin/apt, /bin/yum'
+# sudo_sudoers_runas_aliases:
+#  WEBUSERS: 'www-data, www'
 # sudo_defaults:
 #  - defaults: env_reset
 #  - name: user1
@@ -15,6 +28,10 @@
 #      - /bin/df
 #  - name: '%group4'
 #    hosts: 127.0.0.1
+#  - name: WEBADMINS
+#    commands: WEBCOMMANDS
+#    users: WEBUSERS
+#    groups: WEBUSERS
 
 # package name (version)
 sudo_package: sudo
@@ -22,6 +39,12 @@ sudo_package: sudo
 sudo_users: []
 # list of username or %groupname and their defaults
 sudo_defaults: []
+# dictionary of user alias definition
+sudo_sudoers_user_aliases: []
+# dictionary of cmnd alias definition
+sudo_sudoers_cmnd_aliases: []
+# dictionary of runas alias definition
+sudo_sudoers_runas_aliases: []
 # default sudoers file
 sudo_sudoers_file: ansible
 # path of the sudoers.d directory
diff --git a/templates/etc/sudoers.d/ansible.j2 b/templates/etc/sudoers.d/ansible.j2
index 9a0fdb7..14ded9a 100644
--- a/templates/etc/sudoers.d/ansible.j2
+++ b/templates/etc/sudoers.d/ansible.j2
@@ -1,5 +1,22 @@
 {{ ansible_managed | comment }}
 
+{{ sudo_aliases_comment | comment }}
+{% if sudo_users_aliases is mapping %}
+{% for key, value in sudo_sudoers_user_aliases.items() %}
+User_Alias {{ key }} = {{ value if value is string else value | join(', ') }}
+{% endfor %}
+{% endif %}
+{% if sudo_runas_aliases is mapping %}
+{% for key, value in sudo_sudoers_runas_aliases.items() %}
+Runas_Alias {{ key }} = {{ value if value is string else value | join(', ') }}
+{% endfor %}
+{% endif %}
+{% if sudo_cmnd_aliases is mapping %}
+{% for key, value in sudo_sudoers_cmnd_aliases.items() %}
+Cmnd_Alias {{ key }} = {{ value if value is string else value | join(', ') }}
+{% endfor %}
+{% endif %}
+
 {% for item in sudo_defaults %}
 Defaults{{ ":" ~ item.name if item.name is defined else "" }} {{ item.defaults }}
 {% endfor %}
diff --git a/tests/main.yml b/tests/main.yml
index b6fb0b4..0d8eed0 100644
--- a/tests/main.yml
+++ b/tests/main.yml
@@ -5,6 +5,17 @@
   roles:
     - weareinteractive.sudo
   vars:
+    sudo_sudoers_user_aliases:
+      WEBADMINS:
+        - webadmin1
+        - webadmin2
+    sudo_sudoers_cmnd_aliases:
+      WEBCOMMANDS:
+        - /bin/systemctl status nginx
+        - /bin/systemctl start nginx
+        - /bin/systemctl stop nginx
+        - /bin/systemctl restart nginx
+      PACKAGECOMMANDS: '/bin/apt, /bin/yum'
     sudo_defaults:
       - defaults: env_reset
       - defaults: secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
@@ -28,4 +39,8 @@
       - name: '%group4'
         users: 'user1,user2'
         groups: 'group1,group2'
+      - name: WEBADMINS
+        commands: WEBCOMMANDS
+        users: WEBUSERS
+        groups: WEBUSERS
     purge_other_sudoers_files: yes
diff --git a/vars/default.yml b/vars/default.yml
index 3f29509..8f6541f 100644
--- a/vars/default.yml
+++ b/vars/default.yml
@@ -2,3 +2,4 @@
 sudo_pkg_mgr_opts: update_cache=yes
 sudo_sudoers_group: root
 sudo_visudo: '/usr/sbin/visudo'
+sudo_aliases_comment: 'Aliases definitions'

From 2c0e797f9bfbe97e0266961bb54ed9b087adeb09 Mon Sep 17 00:00:00 2001
From: Christian Erb <christian.erb@tobii.com>
Date: Mon, 10 Jan 2022 13:23:47 +0100
Subject: [PATCH 2/3] Fixed check if aliases definitions are dictionaries.

---
 templates/etc/sudoers.d/ansible.j2 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/templates/etc/sudoers.d/ansible.j2 b/templates/etc/sudoers.d/ansible.j2
index 14ded9a..8e382f0 100644
--- a/templates/etc/sudoers.d/ansible.j2
+++ b/templates/etc/sudoers.d/ansible.j2
@@ -1,17 +1,17 @@
 {{ ansible_managed | comment }}
 
 {{ sudo_aliases_comment | comment }}
-{% if sudo_users_aliases is mapping %}
+{% if sudo_sudoers_users_aliases is mapping %}
 {% for key, value in sudo_sudoers_user_aliases.items() %}
 User_Alias {{ key }} = {{ value if value is string else value | join(', ') }}
 {% endfor %}
 {% endif %}
-{% if sudo_runas_aliases is mapping %}
+{% if sudo_sudoers_runas_aliases is mapping %}
 {% for key, value in sudo_sudoers_runas_aliases.items() %}
 Runas_Alias {{ key }} = {{ value if value is string else value | join(', ') }}
 {% endfor %}
 {% endif %}
-{% if sudo_cmnd_aliases is mapping %}
+{% if sudo_sudoers_cmnd_aliases is mapping %}
 {% for key, value in sudo_sudoers_cmnd_aliases.items() %}
 Cmnd_Alias {{ key }} = {{ value if value is string else value | join(', ') }}
 {% endfor %}

From 70f7249b129ab97debe81bca6fe8e72cd9779391 Mon Sep 17 00:00:00 2001
From: Christian Erb <70684679+tobiicerb@users.noreply.github.com>
Date: Tue, 15 Feb 2022 14:12:47 +0100
Subject: [PATCH 3/3] Fixed sudo_sudoers_user dictionary definition

---
 templates/etc/sudoers.d/ansible.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/etc/sudoers.d/ansible.j2 b/templates/etc/sudoers.d/ansible.j2
index 8e382f0..0968b61 100644
--- a/templates/etc/sudoers.d/ansible.j2
+++ b/templates/etc/sudoers.d/ansible.j2
@@ -1,7 +1,7 @@
 {{ ansible_managed | comment }}
 
 {{ sudo_aliases_comment | comment }}
-{% if sudo_sudoers_users_aliases is mapping %}
+{% if sudo_sudoers_user_aliases is mapping %}
 {% for key, value in sudo_sudoers_user_aliases.items() %}
 User_Alias {{ key }} = {{ value if value is string else value | join(', ') }}
 {% endfor %}