Merge pull request #65 from daks/map.jinja

Map.jinja refactoring

sudoers/defaults.yaml

@@ -0,0 +1,11 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+---
+sudoers:
+  pkg: sudo
+  manage_main_config: true
+  configpath: /etc
+  group: root
+  execprefix: /usr/sbin
+  includedir: /etc/sudoers.d
+  included_files: {}

sudoers/included.sls

@@ -1,31 +1,35 @@
-{% from "sudoers/map.jinja" import sudoers with context %}
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{#- Get the `tplroot` from `tpldir` #}
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_config_file = tplroot ~ '.config.file' %}
+{%- from tplroot ~ "/map.jinja" import sudoers with context %}
 
 include:
   - sudoers
 
-{% do sudoers.update(pillar.get('sudoers', {})) %}
-{% set includedir = sudoers.get('includedir', '/etc/sudoers.d') %}
-{% set included_files = sudoers.get('included_files', {}) %}
-{% for included_file,spec in included_files.items() -%}
+{% set included_files = sudoers.included_files %}
+{% for included_file, spec in included_files.items() -%}
 sudoers include {{ included_file }}:
   file.managed:
     {% if '/' in included_file %}
     - name: {{ included_file }}
     {% else %}
-    - name: {{ includedir }}/{{ included_file }}
+    - name: {{ sudoers.includedir }}/{{ included_file }}
     {% endif %}
     - user: root
-    - group: {{ sudoers.get('group', 'root') }}
+    - group: {{ sudoers.group }}
     - mode: 440
     - makedirs: True
     - template: jinja
     - source: salt://sudoers/files/sudoers
-    - check_cmd: {{ sudoers.get('execprefix', '/usr/sbin') }}/visudo -c -f
+    - check_cmd: {{ sudoers.execprefix }}/visudo -c -f
     - context:
         included: True
         sudoers: {{ spec|json }}
-    {% if salt['pillar.get']('sudoers:manage_main_config', True) %}
+    {% if sudoers.manage_main_config %}
     - require:
-      - file: {{ sudoers.get('configpath', '/etc') }}/sudoers
+      - file: {{ sudoers.configpath }}/sudoers
     {% endif %}
 {% endfor %}

sudoers/init.sls

@@ -1,27 +1,33 @@
-{% from "sudoers/map.jinja" import sudoers with context %}
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{#- Get the `tplroot` from `tpldir` #}
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_config_file = tplroot ~ '.config.file' %}
+{%- from tplroot ~ "/map.jinja" import sudoers with context %}
 
 sudo:
   pkg.installed:
     - name: {{ sudoers.pkg }}
 
-{% if salt['pillar.get']('sudoers:manage_main_config', True) %}
+{% if sudoers.manage_main_config %}
 
-{{ sudoers.get('configpath', '/etc') }}/sudoers:
+{{ sudoers.configpath }}/sudoers:
   file.managed:
     - user: root
-    - group: {{ sudoers.get('group', 'root') }}
+    - group: {{ sudoers.group }}
     - mode: 440
     - template: jinja
     - source: salt://sudoers/files/sudoers
-    - check_cmd: {{ sudoers.get('execprefix', '/usr/sbin') }}/visudo -c -f
+    - check_cmd: {{ sudoers.execprefix }}/visudo -c -f
     - context:
         included: False
     - require:
       - pkg: sudo
 
 {% else %}
 
-{{ sudoers.get('configpath', '/etc') }}/sudoers:
+{{ sudoers.configpath }}/sudoers:
   test.show_notification:
     - name: Skipping management of main sudoers file
     - text: Pillar manage_main_config is False

sudoers/map.jinja

@@ -1,17 +1,55 @@
-{% set sudoers = salt['grains.filter_by']({
-    'Debian':  {'pkg': 'sudo'},
-    'Ubuntu':  {'pkg': 'sudo'},
-    'CentOS':  {'pkg': 'sudo'},
-    'Fedora':  {'pkg': 'sudo'},
-    'RedHat':  {'pkg': 'sudo'},
-    'Amazon':  {'pkg': 'sudo'},
-    'Gentoo':  {'pkg': 'app-admin/sudo'},
-    'Mint':    {'pkg': 'sudo'},
-    'Arch':    {'pkg': 'sudo'},
-    'Suse':    {'pkg': 'sudo'},
-    'FreeBSD': {'pkg': 'sudo',
-                'configpath': '/usr/local/etc',
-                'includedir': '/usr/local/etc/sudoers.d',
-                'execprefix': '/usr/local/sbin',
-                'group': 'wheel'},
-}, merge=salt['pillar.get']('sudoers:lookup')) %}
+# -*- coding: utf-8 -*-
+# vim: ft=jinja
+
+{#- Get the `tplroot` from `tpldir` #}
+{%- set tplroot = tpldir.split('/')[0] %}
+{#- Start imports as #}
+{%- import_yaml tplroot ~ "/defaults.yaml" as default_settings %}
+{%- import_yaml tplroot ~ "/osarchmap.yaml" as osarchmap %}
+{%- import_yaml tplroot ~ "/osfamilymap.yaml" as osfamilymap %}
+{%- import_yaml tplroot ~ "/osmap.yaml" as osmap %}
+{%- import_yaml tplroot ~ "/osfingermap.yaml" as osfingermap %}
+
+{#- Retrieve the config dict only once #}
+{%- set _config = salt['config.get'](tplroot, default={}) %}
+
+{%- set defaults = salt['grains.filter_by'](
+      default_settings,
+      default=tplroot,
+      merge=salt['grains.filter_by'](
+        osarchmap,
+        grain='osarch',
+        merge=salt['grains.filter_by'](
+          osfamilymap,
+          grain='os_family',
+          merge=salt['grains.filter_by'](
+            osmap,
+            grain='os',
+            merge=salt['grains.filter_by'](
+              osfingermap,
+              grain='osfinger',
+              merge=salt['grains.filter_by'](
+                _config,
+                default='lookup'
+              )
+            )
+          )
+        )
+      )
+    )
+%}
+
+{%- set config = salt['grains.filter_by'](
+      {'defaults': defaults},
+      default='defaults',
+      merge=_config
+    )
+%}
+
+{%- set sudoers = config %}
+
+{#- Post-processing for specific non-YAML customisations #}
+{%- if grains.os == 'MacOS' %}
+{%-   set macos_group = salt['cmd.run']("stat -f '%Sg' /dev/console") %}
+{%-   do sudoers.update({'rootgroup': macos_group}) %}
+{%- endif %}

sudoers/osarchmap.yaml

@@ -0,0 +1,35 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+#
+# Setup variables using grains['osarch'] based logic.
+# You just need to add the key:values for an `osarch` that differ
+# from `defaults.yaml`.
+# Only add an `osarch` which is/will be supported by the formula.
+#
+# If you do not need to provide defaults via the `osarch` grain,
+# you will need to provide at least an empty dict in this file, e.g.
+# osarch: {}
+---
+amd64:
+  arch: amd64
+
+x86_64:
+  arch: amd64
+
+386:
+  arch: 386
+
+arm64:
+  arch: arm64
+
+armv6l:
+  arch: armv6l
+
+armv7l:
+  arch: armv7l
+
+ppc64le:
+  arch: ppc64le
+
+s390x:
+  arch: s390x

sudoers/osfamilymap.yaml

@@ -0,0 +1,38 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+#
+# Setup variables using grains['os_family'] based logic.
+# You just need to add the key:values for an `os_family` that differ
+# from `defaults.yaml` + `osarch.yaml`.
+# Only add an `os_family` which is/will be supported by the formula.
+#
+# If you do not need to provide defaults via the `os_family` grain,
+# you will need to provide at least an empty dict in this file, e.g.
+# osfamilymap: {}
+---
+Debian: {}
+
+RedHat: {}
+
+Suse: {}
+
+Gentoo:
+  pkg: app-admin/sudo
+
+Arch: {}
+
+Alpine: {}
+
+FreeBSD:
+  configpath: /usr/local/etc
+  includedir: /usr/local/etc/sudoers.d
+  execprefix: /usr/local/sbin
+  group: wheel
+
+OpenBSD: {}
+
+Solaris: {}
+
+Windows: {}
+
+MacOS: {}

sudoers/osfingermap.yaml

@@ -0,0 +1,14 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+#
+# Setup variables using grains['osfinger'] based logic.
+# You just need to add the key:values for an `osfinger` that differ
+# from `defaults.yaml` + `osarch.yaml` + `os_family.yaml` + `osmap.yaml`.
+# Only add an `osfinger` which is/will be supported by the formula.
+#
+# If you do not need to provide defaults via the `os_finger` grain,
+# you will need to provide at least an empty dict in this file, e.g.
+# osfingermap: {}
+---
+# os: Debian
+osfingermap: {}

sudoers/osmap.yaml

@@ -0,0 +1,13 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+#
+# Setup variables using grains['os'] based logic.
+# You just need to add the key:values for an `os` that differ
+# from `defaults.yaml` + `osarch.yaml` + `os_family.yaml`.
+# Only add an `os` which is/will be supported by the formula.
+#
+# If you do not need to provide defaults via the `os` grain,
+# you will need to provide at least an empty dict in this file, e.g.
+# osmap: {}
+---
+osmap: {}

test/integration/default/controls/_mapdata_spec.rb

@@ -8,6 +8,6 @@
 
   describe file('/tmp/salt_mapdata_dump.yaml') do
     it { should exist }
-    its('content') { should include mapdata_dump }
+    its('content') { should eq mapdata_dump }
   end
 end

test/integration/default/files/_mapdata/amazonlinux-1.yaml

@@ -2,4 +2,68 @@
 # Amazon Linux AMI-2018
 ---
 sudoers:
+  aliases:
+    commands:
+      PROCESSES:
+      - /usr/bin/nice
+      - /bin/kill
+      - /usr/bin/renice
+      - /usr/bin/pkill
+      - /usr/bin/top
+    hosts:
+      WEBSERVERS:
+      - www1
+      - www2
+      - www3
+    users:
+      ADMINS:
+      - millert
+      - dowdy
+      - mikef
+  arch: amd64
+  configpath: /etc
+  defaults:
+    command_list:
+      PROCESSES: noexec
+    generic:
+    - env_reset
+    - mail_badpass
+    - secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+    host_list:
+      www1: log_year, logfile=/var/log/sudo.log
+    runas_list:
+      root: '!set_logname'
+    user_list:
+      ADMINS: '!lecture'
+      johndoe: '!requiretty'
+  execprefix: /usr/sbin
+  group: root
+  groups:
+    sudo:
+    - ALL=(ALL) ALL
+    - 'ALL=(nodejs) NOPASSWD: ALL'
+  included_files:
+    /etc/sudoers.d/extra-file:
+      users:
+        foo:
+        - ALL=(ALL) ALL
+    extra-file-2:
+      groups:
+        bargroup:
+        - 'ALL=(ALL) NOPASSWD: ALL'
+    extra-file-3:
+      netgroups:
+        other_netgroup:
+        - ALL=(ALL) ALL
+  includedir: /etc/sudoers.d
+  manage_main_config: true
+  netgroups:
+    sysadmins:
+    - ALL=(ALL) ALL
   pkg: sudo
+  users:
+    johndoe:
+    - ALL=(ALL) ALL
+    - 'ALL=(root) NOPASSWD: /etc/init.d/httpd'
+    kitchen:
+    - 'ALL=(root) NOPASSWD: ALL'