check one file for syntax and rm params fixes #223

Before that all sudoers files were checked for
syntax and when an application would have
created a suders file with a permission/syntax
error the file managed by puppet would be deleted.
But the file managed by puppet would not have a
syntax error.
This could also occur if an application creates
a file with permission 0400 instead of 0440 which
is demanded by visudo.
Removed delete_on_error: Now puppet will not
create the file if it has a syntax error by
default. Before that, syntax / permission
errors in other files would also lead to
deletion or error which makes no sense.
Removed validate_single: Previously all
files were always validated no matter which
value validate_single had. This makes no
sense, so remove parameter.
Removed conf parameter sudo_syntax_path as
the exec that used it was removed. Validation
is now only via validate_cmd of the puppet
file resource.

Author: Ludwig Cornelius

REFERENCE.md

@@ -63,8 +63,6 @@ The following parameters are available in the `sudo` class:
 * [`content_string`](#-sudo--content_string)
 * [`secure_path`](#-sudo--secure_path)
 * [`ldap_enable`](#-sudo--ldap_enable)
-* [`delete_on_error`](#-sudo--delete_on_error)
-* [`validate_single`](#-sudo--validate_single)
 * [`config_dir_keepme`](#-sudo--config_dir_keepme)
 * [`use_sudoreplay`](#-sudo--use_sudoreplay)
 * [`wheel_config`](#-sudo--wheel_config)
@@ -263,27 +261,6 @@ Enable ldap support on the package
 
 Default value: `false`
 
-##### <a name="-sudo--delete_on_error"></a>`delete_on_error`
-
-Data type: `Boolean`
-
-True if you want that the configuration is deleted on an error
-during a complete visudo -c run. If false it will just return
-an error and will add a comment to the sudoers configuration so
-that the resource will be checked at the following run.
-
-Default value: `true`
-
-##### <a name="-sudo--validate_single"></a>`validate_single`
-
-Data type: `Boolean`
-
-Do a validate on the "single" file in the sudoers.d directory.
-If the validate fail the file will not be saved or changed
-if a file already exist.
-
-Default value: `false`
-
 ##### <a name="-sudo--config_dir_keepme"></a>`config_dir_keepme`
 
 Data type: `Boolean`
@@ -429,7 +406,6 @@ The following parameters are available in the `sudo::conf` defined type:
 * [`template`](#-sudo--conf--template)
 * [`sudo_config_dir`](#-sudo--conf--sudo_config_dir)
 * [`sudo_file_name`](#-sudo--conf--sudo_file_name)
-* [`sudo_syntax_path`](#-sudo--conf--sudo_syntax_path)
 
 ##### <a name="-sudo--conf--ensure"></a>`ensure`
 
@@ -489,11 +465,3 @@ Set a custom file name for the snippet
 
 Default value: `undef`
 
-##### <a name="-sudo--conf--sudo_syntax_path"></a>`sudo_syntax_path`
-
-Data type: `Any`
-
-Path to use for executing the sudo syntax check
-
-Default value: `'/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'`
-

manifests/conf.pp

@@ -26,9 +26,6 @@
 # @param sudo_file_name
 #   Set a custom file name for the snippet
 #
-# @param sudo_syntax_path
-#   Path to use for executing the sudo syntax check
-#
 # @example
 #   sudo::conf { 'admins':
 #     source => 'puppet:///files/etc/sudoers.d/admins',
@@ -42,7 +39,6 @@
   $template         = undef,
   $sudo_config_dir  = undef,
   $sudo_file_name   = undef,
-  $sudo_syntax_path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
 ) {
   include sudo
 
@@ -108,22 +104,8 @@
   }
 
   if $ensure == 'present' {
-    if $sudo::validate_single {
-      $validate_cmd_real = 'visudo -c -f %'
-    } else {
-      $validate_cmd_real = undef
-    }
-    if $sudo::delete_on_error {
-      $notify_real = Exec["sudo-syntax-check for file ${cur_file}"]
-      $delete_cmd = "( rm -f '${cur_file_real}' && exit 1)"
-    } else {
-      $notify_real = Exec["sudo-syntax-check for file ${cur_file}"]
-      $errormsg = "Error on global-syntax-check with file ${cur_file_real}"
-      $delete_cmd = "( echo '${errormsg}' && echo '#${errormsg}' >>${cur_file_real} && exit 1)"
-    }
+    $validate_cmd_real = 'visudo -c -f %'
   } else {
-    $delete_cmd = ''
-    $notify_real = undef
     $validate_cmd_real = undef
   }
 
@@ -135,14 +117,8 @@
     mode         => $sudo::params::config_file_mode,
     source       => $source,
     content      => $content_real,
-    notify       => $notify_real,
     require      => File[$sudo_config_dir_real],
     validate_cmd => $validate_cmd_real,
   }
 
-  exec { "sudo-syntax-check for file ${cur_file}":
-    command     => "visudo -c || ${delete_cmd}",
-    refreshonly => true,
-    path        => $sudo_syntax_path,
-  }
 }

manifests/init.pp

@@ -83,17 +83,6 @@
 # @param ldap_enable
 #   Enable ldap support on the package
 #
-# @param delete_on_error
-#   True if you want that the configuration is deleted on an error
-#   during a complete visudo -c run. If false it will just return
-#   an error and will add a comment to the sudoers configuration so
-#   that the resource will be checked at the following run.
-#
-# @param validate_single
-#   Do a validate on the "single" file in the sudoers.d directory.
-#   If the validate fail the file will not be saved or changed
-#   if a file already exist.
-#
 # @param config_dir_keepme
 #   Add a .keep-me file to the config dir
 #
@@ -137,8 +126,6 @@
   Optional[String[1]]                            $content_string      = undef,
   Optional[String[1]]                            $secure_path         = $sudo::params::secure_path,
   Boolean                                        $ldap_enable         = false,
-  Boolean                                        $delete_on_error     = true,
-  Boolean                                        $validate_single     = false,
   Boolean                                        $config_dir_keepme   = $sudo::params::config_dir_keepme,
   Boolean                                        $use_sudoreplay      = false,
   Enum['absent','password','nopassword']         $wheel_config        = $sudo::params::wheel_config,