From e5f2dc42f95eb507adbb28901c3a2e6df32f4042 Mon Sep 17 00:00:00 2001
From: Christian Erb <christian.erb@tobii.com>
Date: Tue, 4 Jan 2022 15:06:09 +0100
Subject: [PATCH 1/3] Added Alias configuration

User_Alias, Runas_Alias and Cmnd_Alias configuration is included.
Host_Alias is not included as it is no problem to have a host specific sudoer configuration via ansible.
---
 README.md                          | 28 ++++++++++++++++++++++++++++
 defaults/main.yml                  | 23 +++++++++++++++++++++++
 templates/etc/sudoers.d/ansible.j2 | 17 +++++++++++++++++
 tests/main.yml                     | 15 +++++++++++++++
 vars/default.yml                   |  1 +
 5 files changed, 84 insertions(+)

diff --git a/README.md b/README.md
index 583d044..d10f702 100644
--- a/README.md
+++ b/README.md
@@ -44,6 +44,17 @@ Here is a list of all the default variables for this role, which are also availa
 
 ```yaml
 ---
+# sudo_sudoers_user_aliases:
+#  WEBADMINS:
+#    - webadmin1
+#    - webadmin2
+# sudo_sudoers_cmnd_aliases:
+#  WEBCOMMANDS:
+#    - /bin/systemctl status nginx
+#    - /bin/systemctl start nginx
+#    - /bin/systemctl stop nginx
+#    - /bin/systemctl restart nginx
+#  PACKAGECOMMANDS: '/bin/apt, /bin/yum'
 # sudo_defaults:
 #  - defaults: env_reset
 #  - name: user1
@@ -89,6 +100,19 @@ This is an example playbook:
   roles:
     - weareinteractive.sudo
   vars:
+    sudo_sudoers_user_aliases:
+      WEBADMINS:
+        - webadmin1
+        - webadmin2
+    sudo_sudoers_runas_aliases:
+      WEBUSERS: 'www-data, www'
+    sudo_sudoers_cmnd_aliases:
+      WEBCOMMANDS:
+        - /bin/systemctl status nginx
+        - /bin/systemctl start nginx
+        - /bin/systemctl stop nginx
+        - /bin/systemctl restart nginx
+      PACKAGECOMMANDS: '/bin/apt, /bin/yum'
     sudo_defaults:
       - defaults: env_reset
       - defaults: secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
@@ -112,6 +136,10 @@ This is an example playbook:
       - name: '%group4'
         users: 'user1,user2'
         groups: 'group1,group2'
+      - name: WEBADMINS
+        commands: WEBCOMMANDS
+        users: WEBUSERS
+        groups: WEBUSERS
     purge_other_sudoers_files: yes
 
 ```
diff --git a/defaults/main.yml b/defaults/main.yml
index 4c91c29..68fc608 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,4 +1,17 @@
 ---
+# sudo_sudoers_user_aliases:
+#  WEBADMINS:
+#    - webadmin1
+#    - webadmin2
+# sudo_sudoers_cmnd_aliases:
+#  WEBCOMMANDS:
+#    - /bin/systemctl status nginx
+#    - /bin/systemctl start nginx
+#    - /bin/systemctl stop nginx
+#    - /bin/systemctl restart nginx
+#  PACKAGECOMMANDS: '/bin/apt, /bin/yum'
+# sudo_sudoers_runas_aliases:
+#  WEBUSERS: 'www-data, www'
 # sudo_defaults:
 #  - defaults: env_reset
 #  - name: user1
@@ -15,6 +28,10 @@
 #      - /bin/df
 #  - name: '%group4'
 #    hosts: 127.0.0.1
+#  - name: WEBADMINS
+#    commands: WEBCOMMANDS
+#    users: WEBUSERS
+#    groups: WEBUSERS
 
 # package name (version)
 sudo_package: sudo
@@ -22,6 +39,12 @@ sudo_package: sudo
 sudo_users: []
 # list of username or %groupname and their defaults
 sudo_defaults: []
+# dictionary of user alias definition
+sudo_sudoers_user_aliases: []
+# dictionary of cmnd alias definition
+sudo_sudoers_cmnd_aliases: []
+# dictionary of runas alias definition
+sudo_sudoers_runas_aliases: []
 # default sudoers file
 sudo_sudoers_file: ansible
 # path of the sudoers.d directory
diff --git a/templates/etc/sudoers.d/ansible.j2 b/templates/etc/sudoers.d/ansible.j2
index 9a0fdb7..14ded9a 100644
--- a/templates/etc/sudoers.d/ansible.j2
+++ b/templates/etc/sudoers.d/ansible.j2
@@ -1,5 +1,22 @@
 {{ ansible_managed | comment }}
 
+{{ sudo_aliases_comment | comment }}
+{% if sudo_users_aliases is mapping %}
+{% for key, value in sudo_sudoers_user_aliases.items() %}
+User_Alias {{ key }} = {{ value if value is string else value | join(', ') }}
+{% endfor %}
+{% endif %}
+{% if sudo_runas_aliases is mapping %}
+{% for key, value in sudo_sudoers_runas_aliases.items() %}
+Runas_Alias {{ key }} = {{ value if value is string else value | join(', ') }}
+{% endfor %}
+{% endif %}
+{% if sudo_cmnd_aliases is mapping %}
+{% for key, value in sudo_sudoers_cmnd_aliases.items() %}
+Cmnd_Alias {{ key }} = {{ value if value is string else value | join(', ') }}
+{% endfor %}
+{% endif %}
+
 {% for item in sudo_defaults %}
 Defaults{{ ":" ~ item.name if item.name is defined else "" }} {{ item.defaults }}
 {% endfor %}
diff --git a/tests/main.yml b/tests/main.yml
index b6fb0b4..0d8eed0 100644
--- a/tests/main.yml
+++ b/tests/main.yml
@@ -5,6 +5,17 @@
   roles:
     - weareinteractive.sudo
   vars:
+    sudo_sudoers_user_aliases:
+      WEBADMINS:
+        - webadmin1
+        - webadmin2
+    sudo_sudoers_cmnd_aliases:
+      WEBCOMMANDS:
+        - /bin/systemctl status nginx
+        - /bin/systemctl start nginx
+        - /bin/systemctl stop nginx
+        - /bin/systemctl restart nginx
+      PACKAGECOMMANDS: '/bin/apt, /bin/yum'
     sudo_defaults:
       - defaults: env_reset
       - defaults: secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
@@ -28,4 +39,8 @@
       - name: '%group4'
         users: 'user1,user2'
         groups: 'group1,group2'
+      - name: WEBADMINS
+        commands: WEBCOMMANDS
+        users: WEBUSERS
+        groups: WEBUSERS
     purge_other_sudoers_files: yes
diff --git a/vars/default.yml b/vars/default.yml
index 3f29509..8f6541f 100644
--- a/vars/default.yml
+++ b/vars/default.yml
@@ -2,3 +2,4 @@
 sudo_pkg_mgr_opts: update_cache=yes
 sudo_sudoers_group: root
 sudo_visudo: '/usr/sbin/visudo'
+sudo_aliases_comment: 'Aliases definitions'

From 692afb786008e65b4f3ba004ae13b04bb1117b72 Mon Sep 17 00:00:00 2001
From: Christian Erb <christian.erb@tobii.com>
Date: Wed, 5 Jan 2022 12:54:13 +0100
Subject: [PATCH 2/3] Added additional Default configuration options

This is according to the sudoers manpage.
Default_Type ::= 'Defaults' |
           'Defaults' '@' Host_List |
           'Defaults' ':' User_List |
           'Defaults' '!' Cmnd_List |
           'Defaults' '>' Runas_List
Host_List is not available as I see no need for this configuration option if we make use of ansible.
The default if is a user list if name is defined, otherwise it is changed according to type which can be user, cmnd or runas.
---
 README.md                          |  7 +++++++
 templates/etc/sudoers.d/ansible.j2 | 13 ++++++++++++-
 tests/main.yml                     |  6 ++++++
 3 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index d10f702..7530ced 100644
--- a/README.md
+++ b/README.md
@@ -118,8 +118,15 @@ This is an example playbook:
       - defaults: secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
       - name: 'user1'
         defaults: 'requiretty'
+        #type: user
       - name: '%group1'
         defaults: '!requiretty'
+      - name: PAGER
+        defaults: noexec
+        type: cmnd
+      - name: root
+        defaults: '!set_logname'
+        type: runas
     sudo_users:
       - name: 'user1'
       - name: 'user2'
diff --git a/templates/etc/sudoers.d/ansible.j2 b/templates/etc/sudoers.d/ansible.j2
index 14ded9a..aadd13f 100644
--- a/templates/etc/sudoers.d/ansible.j2
+++ b/templates/etc/sudoers.d/ansible.j2
@@ -18,7 +18,18 @@ Cmnd_Alias {{ key }} = {{ value if value is string else value | join(', ') }}
 {% endif %}
 
 {% for item in sudo_defaults %}
-Defaults{{ ":" ~ item.name if item.name is defined else "" }} {{ item.defaults }}
+{% if item.name is defined %}
+{% set defaulttype = item.type|default('user') %}
+{% if defaulttype == 'user' %}
+Defaults:{{ item.name }} {{ item.defaults }}
+{% elif defaulttype == 'cmnd' %}
+Defaults!{{ item.name }} {{ item.defaults }}
+{% elif defaulttype == 'runas' %}
+Defaults>{{ item.name }} {{ item.defaults }}
+{% endif %}
+{% else %}
+Defaults {{ item.defaults }}
+{% endif %}
 {% endfor %}
 
 {% for item in sudo_users %}
diff --git a/tests/main.yml b/tests/main.yml
index 0d8eed0..fd8162a 100644
--- a/tests/main.yml
+++ b/tests/main.yml
@@ -23,6 +23,12 @@
         defaults: 'requiretty'
       - name: '%group1'
         defaults: '!requiretty'
+      - name: PAGER
+        defaults: noexec
+        type: cmnd
+      - name: root
+        defaults: '!set_logname'
+        type: runas
     sudo_users:
       - name: 'user1'
       - name: 'user2'

From 7177b55bcbf3f4ef7296e4804b3e2b42b3f10e15 Mon Sep 17 00:00:00 2001
From: Christian Erb <christian.erb@tobii.com>
Date: Mon, 10 Jan 2022 13:26:40 +0100
Subject: [PATCH 3/3] Fixed check if aliases definitions are dictionaries.

---
 templates/etc/sudoers.d/ansible.j2 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/templates/etc/sudoers.d/ansible.j2 b/templates/etc/sudoers.d/ansible.j2
index aadd13f..98c7c80 100644
--- a/templates/etc/sudoers.d/ansible.j2
+++ b/templates/etc/sudoers.d/ansible.j2
@@ -1,17 +1,17 @@
 {{ ansible_managed | comment }}
 
 {{ sudo_aliases_comment | comment }}
-{% if sudo_users_aliases is mapping %}
+{% if sudo_sudoers_users_aliases is mapping %}
 {% for key, value in sudo_sudoers_user_aliases.items() %}
 User_Alias {{ key }} = {{ value if value is string else value | join(', ') }}
 {% endfor %}
 {% endif %}
-{% if sudo_runas_aliases is mapping %}
+{% if sudo_sudoers_runas_aliases is mapping %}
 {% for key, value in sudo_sudoers_runas_aliases.items() %}
 Runas_Alias {{ key }} = {{ value if value is string else value | join(', ') }}
 {% endfor %}
 {% endif %}
-{% if sudo_cmnd_aliases is mapping %}
+{% if sudo_sudoers_cmnd_aliases is mapping %}
 {% for key, value in sudo_sudoers_cmnd_aliases.items() %}
 Cmnd_Alias {{ key }} = {{ value if value is string else value | join(', ') }}
 {% endfor %}