module Propellor.Property.Sudo where
import Data.List
import Propellor.Base
import Propellor.Property.File
import qualified Propellor.Property.Apt as Apt
import Propellor.Property.User
enabledFor :: User -> RevertableProperty DebianLike DebianLike
enabledFor user@(User u) = setup `requires` Apt.installed ["sudo"] <!> cleanup
where
setup :: Property UnixLike
setup = property' desc $ \w -> do
locked <- liftIO $ isLockedPassword user
ensureProperty w $ combineProperties desc $ props
& containsLine sudoers "#includedir /etc/sudoers.d"
& fileProperty desc
(modify locked . filter (wanted locked))
dfile
& removeconflicting sudoers
where
desc = u ++ " is sudoer"
cleanup :: Property DebianLike
cleanup = tightenTargets $ combineProperties desc $ props
& removeconflicting sudoers
& removeconflicting dfile
where
desc = u ++ " is not sudoer"
removeconflicting = fileProperty "remove conflicting" (filter notuserline)
sudoers = "/etc/sudoers"
dfile = "/etc/sudoers.d/000users"
sudobaseline = u ++ " ALL=(ALL:ALL)"
notuserline l = not (sudobaseline `isPrefixOf` l)
sudoline True = sudobaseline ++ " NOPASSWD:ALL"
sudoline False = sudobaseline ++ " ALL"
wanted locked l
| notuserline l = True
| "NOPASSWD" `isInfixOf` l = locked
| otherwise = True
modify locked ls
| sudoline locked `elem` ls = ls
| otherwise = ls ++ [sudoline locked]
sudoersDFile :: FilePath -> [Line] -> RevertableProperty DebianLike Linux
sudoersDFile dfile content = setup `requires` Apt.installed ["sudo"] <!> cleanup
where
f = "/etc/sudoers.d" </> dfile
setup = hasContentProtected f content
cleanup = tightenTargets $ notPresent f