Adding $use_sudoers bool (#321)

Added new use_sudoers boolean as an additional control to whether or not the module would manage /etc/sudoers.
theforeman · Jan 20, 2017 · 72dca5a · 72dca5a
1 parent 18e35c5
commit 72dca5a
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 4 deletions.
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -114,7 +114,7 @@
         mode    => '0440',
         content => template('foreman_proxy/sudo.erb'),
       }
-    } else {
+    } elsif $foreman_proxy::use_sudoers {
       augeas { 'sudo-foreman-proxy':
         context => "/files${::foreman_proxy::sudoers}",
         changes => template('foreman_proxy/sudo_augeas.erb'),

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -90,7 +90,10 @@
 #                               disabled to let a dedicated sudo module manage it instead.
 #                               type:Boolean
 #
-# $use_sudoersd::               Add a file to /etc/sudoers.d (true) or uses augeas (false)
+# $use_sudoersd::               Add a file to /etc/sudoers.d (true).
+#                               type:Boolean
+#
+# $use_sudoers::                Add contents to /etc/sudoers (true). This is ignored if $use_sudoersd is true.
 #                               type:Boolean
 #
 # $puppetca::                   Enable Puppet CA feature
@@ -392,6 +395,7 @@
   $ssl_disabled_ciphers       = $foreman_proxy::params::ssl_disabled_ciphers,
   $manage_sudoersd            = $foreman_proxy::params::manage_sudoersd,
   $use_sudoersd               = $foreman_proxy::params::use_sudoersd,
+  $use_sudoers                = $foreman_proxy::params::use_sudoers,
   $puppetca                   = $foreman_proxy::params::puppetca,
   $puppetca_listen_on         = $foreman_proxy::params::puppetca_listen_on,
   $ssldir                     = $foreman_proxy::params::ssldir,
@@ -485,7 +489,7 @@
 
   # Validate misc params
   validate_string($bind_host)
-  validate_bool($ssl, $manage_sudoersd, $use_sudoersd, $register_in_foreman, $manage_puppet_group)
+  validate_bool($ssl, $manage_sudoersd, $use_sudoers, $use_sudoersd, $register_in_foreman, $manage_puppet_group)
   validate_array($trusted_hosts, $ssl_disabled_ciphers, $groups)
   validate_re($log_level, '^(UNKNOWN|FATAL|ERROR|WARN|INFO|DEBUG)$')
   validate_re($plugin_version, '^(installed|present|latest|absent)$')

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -203,9 +203,14 @@
   # this may be disabled to let a dedicated sudo module manage it instead.
   $manage_sudoersd = true
 
-  # Add a file to /etc/sudoers.d (true) or uses augeas (false)
+  # Setting both $use_sudoersd and $use_sudoers to false means this module will not
+  # touch any sudoers entries. Setting both to true will result in sudoersd winning.
+  # Add a file to /etc/sudoers.d (true).
   $use_sudoersd = true
 
+  # Add contents to /etc/sudoers (true, only if $use_sudoers is false).
+  $use_sudoers = true
+
   # puppet settings
   $puppet_url                 = "https://${::fqdn}:8140"
   $puppet_use_environment_api = undef

diff --git a/spec/classes/foreman_proxy__config__spec.rb b/spec/classes/foreman_proxy__config__spec.rb
@@ -937,6 +937,19 @@
           ]
         end
 
+        context 'when use_sudoers => false' do
+          let :pre_condition do
+            'class {"foreman_proxy":
+              use_sudoers  => false,
+              use_sudoersd => false,
+            }'
+          end
+
+          it "should not modify #{etc_dir}/sudoers" do
+            should_not contain_augeas('sudo-foreman-proxy')
+          end
+        end
+
         context 'when puppetca => false' do
           let :pre_condition do
             'class {"foreman_proxy":