From 295564bfbcf1ed90bbba3dcf55866b9ebbce0a4a Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Wed, 20 Jan 2021 16:31:38 +0100
Subject: [PATCH] ipa/client: add site-wide & host-based sudo rules

This also uses HBAC to let all IPA accounts use the sudo command, so
what some user or group may use it for just has to be configured with
sudo rules in IPA.

Signed-off-by: Nils Philippsen <nils@redhat.com>
---
 roles/ipa/client/tasks/main.yml |  8 +++++
 roles/ipa/client/tasks/sudo.yml | 52 +++++++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+)
 create mode 100644 roles/ipa/client/tasks/sudo.yml

diff --git a/roles/ipa/client/tasks/main.yml b/roles/ipa/client/tasks/main.yml
index fbdc09ca59..fb0cdf8f0e 100644
--- a/roles/ipa/client/tasks/main.yml
+++ b/roles/ipa/client/tasks/main.yml
@@ -29,3 +29,11 @@
   when: env == 'staging'
   tags:
     - ipa/client
+
+- name: Configure sudo on IPA cluster
+  delegate_to: "{{ ipa_server }}"
+  import_tasks: sudo.yml
+  # don't muck with prod for now
+  when: env == 'staging'
+  tags:
+    - ipa/client
diff --git a/roles/ipa/client/tasks/sudo.yml b/roles/ipa/client/tasks/sudo.yml
new file mode 100644
index 0000000000..e0847631fa
--- /dev/null
+++ b/roles/ipa/client/tasks/sudo.yml
@@ -0,0 +1,52 @@
+- name: Check that configured sudo groups exist
+  command: "ipa group-show --no-members {{ item }}"
+  changed_when: False
+  loop: "{{ (ipa_client_sudo_groups | default([])) + (ipa_client_sudo_nopasswd_groups | default([])) | list }}"
+  tags:
+    - config
+
+- name: "Give members of `sysadmin-main` sudo access to anything, anywhere"
+  ipasudorule:
+    name: "group/sysadmin-main"
+    description: "Allow members of `sysadmin-main` to use sudo to do anything, anywhere"
+    ipaadmin_password: "{{ ipa_admin_password }}"
+    state: present
+    cmdcategory: "all"
+    hostcategory: "all"
+    runasusercategory: "all"
+    runasgroupcategory: "all"
+    group:
+      - sysadmin-main
+  tags:
+    - config
+
+- name: "Give certain groups sudo access to anything on {{ ansible_fqdn }}"
+  ipasudorule:
+    name: "host/{{ ansible_fqdn }}"
+    description: "Allow members of groups sudo access to anything on {{ ansible_fqdn }}"
+    ipaadmin_password: "{{ ipa_admin_password }}"
+    state: present
+    group: "{{ ipa_client_sudo_groups | list }}"
+    host: "{{ ansible_fqdn }}"
+    cmdcategory: "all"
+    runasusercategory: "all"
+    runasgroupcategory: "all"
+  when: ipa_client_sudo_groups is defined and ipa_client_sudo_groups | length > 0
+  tags:
+    - config
+
+- name: "Give certain groups password-less sudo access to anything on {{ ansible_fqdn }}"
+  ipasudorule:
+    name: "host/{{ ansible_fqdn }}/nopasswd"
+    description: "Allow members of groups password-less sudo access to anything on {{ ansible_fqdn }}"
+    ipaadmin_password: "{{ ipa_admin_password }}"
+    state: present
+    group: "{{ ipa_client_sudo_groups_nopasswd | list }}"
+    host: "{{ ansible_fqdn }}"
+    cmdcategory: "all"
+    runasusercategory: "all"
+    runasgroupcategory: "all"
+    options: "!authenticate"
+  when: ipa_client_sudo_groups_nopasswd is defined and ipa_client_sudo_groups_nopasswd | length > 0
+  tags:
+    - config