Use system groups for sudo access

On Debian there's the sudo group which by default can use password access. For Red Hat the wheel group does the same. This saves individual sudo entries. The only exception is the jenkins user on slave which can use passwordless sudo. For that a specific entry is made.
theforeman · Jan 13, 2023 · 32fd91e · 32fd91e
1 parent f9243fc
commit 32fd91e
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 23 deletions.
diff --git a/puppet/data/common.yaml b/puppet/data/common.yaml
@@ -24,3 +24,5 @@ puppet::server_environments_owner: 'deploypuppet'
 puppet::server_environments_group: 'deploypuppet'
 puppet::server_puppetserver_telemetry: false
 puppet::show_diff: true
+
+sudo::wheel_config: password
diff --git a/puppet/modules/slave/manifests/init.pp b/puppet/modules/slave/manifests/init.pp
@@ -26,14 +26,16 @@
   include git
 
   # On Debian we use pbuilder with sudo
-  $sudo = $facts['os']['family'] ? {
-    'Debian' => 'ALL=NOPASSWD: ALL',
-    default  => '',
+  if $facts['os']['family'] == 'Debian' {
+    include sudo
+    sudo::conf { "sudo-puppet-${username}":
+      content => "${username} ALL=NOPASSWD: ALL",
+    }
   }
 
   users::account { $username:
     homedir => $homedir,
-    sudo    => $sudo,
+    sudo    => false,
   }
 
   file { $workspace:

diff --git a/puppet/modules/users/manifests/account.pp b/puppet/modules/users/manifests/account.pp
@@ -1,14 +1,22 @@
-define users::account(
+define users::account (
   Enum['present', 'absent'] $ensure = 'present',
   Optional[String] $fullname = undef,
   Optional[String] $passwd = undef,
   Stdlib::Absolutepath $homedir = "/home/${title}",
-  String $sudo = 'ALL=(ALL) ALL',
+  Boolean $sudo = true,
 ) {
+  if $sudo {
+    include sudo
+    $groups = [if $facts['os']['family'] == 'Debian' { 'sudo' } else { 'wheel'}]
+  } else {
+    $groups = []
+  }
+
   user { $name:
     ensure     => $ensure,
     comment    => $fullname,
     home       => $homedir,
+    groups     => $groups,
     managehome => true,
     shell      => '/bin/bash',
     password   => $passwd,
@@ -36,16 +44,5 @@
       group   => $name,
       mode    => '0600',
     }
-
-    $sudo_ensure = bool2str($sudo == '', 'absent', 'present')
-  } else {
-    $sudo_ensure = $ensure
-  }
-
-  include sudo
-  sudo::conf { "sudo-puppet-${name}":
-    ensure  => $sudo_ensure,
-    content => "${name} ${sudo}",
   }
-
 }
diff --git a/puppet/spec/classes/slave_spec.rb b/puppet/spec/classes/slave_spec.rb
@@ -12,10 +12,12 @@
           {uploader: false}
         end
         it { is_expected.to compile.with_all_deps }
+        it { is_expected.to contain_users__account('jenkins').with_sudo(false) }
         if facts[:osfamily] == 'Debian'
-          it { is_expected.to contain_users__account('jenkins').with_sudo('ALL=NOPASSWD: ALL') }
+          it { is_expected.to contain_class('sudo') }
+          it { is_expected.to contain_sudo__conf('sudo-puppet-jenkins').with_content('jenkins ALL=NOPASSWD: ALL') }
         else
-          it { is_expected.to contain_users__account('jenkins').with_sudo('') }
+          it { is_expected.not_to contain_class('sudo') }
         end
 
         if facts[:osfamily] == 'Debian'

diff --git a/puppet/spec/defines/users_account_spec.rb b/puppet/spec/defines/users_account_spec.rb
@@ -5,20 +5,21 @@
     context "on #{os}" do
       let(:title) { 'jenkins' }
       let(:facts) { facts }
+      let(:sudo_group) { facts[:os]['family'] == 'Debian' ? 'sudo' : 'wheel' }
 
       context 'default parameters' do
         it { is_expected.to compile.with_all_deps }
-        it { is_expected.to contain_user('jenkins').with_ensure('present') }
+        it { is_expected.to contain_user('jenkins').with_ensure('present').with_groups([sudo_group]) }
         it { is_expected.to contain_file('/home/jenkins').with_ensure('directory') }
       end
 
       context 'without sudo' do
         let(:params) do
-          {sudo: ''}
+          {sudo: false}
         end
 
         it { is_expected.to compile.with_all_deps }
-        it { is_expected.to contain_sudo__conf('sudo-puppet-jenkins').with_ensure('absent') }
+        it { is_expected.to contain_user('jenkins').with_ensure('present').with_groups([]) }
       end
 
       context 'ensure => absent' do
@@ -28,7 +29,6 @@
 
         it { is_expected.to compile.with_all_deps }
         it { is_expected.to contain_user('jenkins').with_ensure('absent') }
-        it { is_expected.to contain_sudo__conf('sudo-puppet-jenkins').with_ensure('absent') }
         it { is_expected.not_to contain_file('/home/jenkins') }
       end
     end