From 3476984ba3569f80b7c74a1c18cd886d861774c8 Mon Sep 17 00:00:00 2001
From: Bill Glick <bglick@illinois.edu>
Date: Mon, 15 Feb 2021 13:16:10 -0600
Subject: [PATCH] ASDPLNG-55: Review and test puppet-profile_sudo

Add org_asd & org_irst as defaults for sudo groups
Disable sudo for all_disabled_usr group
Update profile_sudo to v0.1.1
---
 Puppetfile                             |  4 ++--
 data/common.yaml                       | 10 ++++++++++
 site-modules/profile/manifests/base.pp |  2 +-
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/Puppetfile b/Puppetfile
index 91b9b08..9b7e829 100644
--- a/Puppetfile
+++ b/Puppetfile
@@ -18,7 +18,7 @@ mod 'ncsa/profile_allow_ssh_from_bastion', tag: 'v0.2.0', git: 'https://github.c
 # mod 'ncsa/profile_firewall', tag: 'v1.0.1', git: 'https://github.com/ncsa/puppet-profile_firewall'
 mod 'ncsa/profile_pam_access', tag: 'v0.0.4', git: 'https://github.com/ncsa/puppet-profile_pam_access'
 # mod 'ncsa/profile_puppet_master', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_puppet_master'
-# mod 'ncsa/profile_sudo', tag: 'v0.1.0', git: 'https://github.com/ncsa/profile_sudo'
+mod 'ncsa/profile_sudo', tag: 'v0.1.1', git: 'https://github.com/ncsa/puppet-profile_sudo'
 # mod 'ncsa/profile_timezone', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_timezone'
 mod 'ncsa/sshd', tag: 'v0.3.0', git: 'https://github.com/ncsa/puppet-sshd'
 mod 'ncsa/sssd', tag: 'v3.0.0', git: 'https://github.com/ncsa/puppet-sssd'
@@ -37,7 +37,7 @@ mod 'puppetlabs/stdlib', '6.3.0'
 # mod 'puppetlabs/xinetd', '3.3.0'
 mod 'richardc-datacat', '0.6.2'
 # mod 'saz/limits', '3.0.4'
-# mod 'saz/sudo', '6.0.0'
+mod 'saz/sudo', '6.0.0'
 # mod 'saz/timezone', '6.0.0'
 # mod 'sharumpe-tcpwrappers', '1.0.4'
 #mod 'sharumpe-tcpwrappers', tag: '1.0.7', git: 'https://github.com/sharumpe/puppet-tcpwrappers.git'
diff --git a/data/common.yaml b/data/common.yaml
index 4c053c6..aa5e79c 100644
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -12,6 +12,16 @@ profile_allow_ssh_from_bastion::groups:
   - org_asd
   - org_irst
 
+profile_sudo::configs:
+  common_disabled_users:
+    priority: 1
+    content:
+      - "#deny former NCSA users"
+      - "%all_disabled_usr ALL=(ALL) !ALL"
+profile_sudo::groups:
+  org_asd: "ALL=(ALL) NOPASSWD: ALL"
+  org_irst: "ALL=(ALL) NOPASSWD: ALL"
+
 sssd::debug_level: 0
 sssd::domains:
   ncsa.illinois.edu:
diff --git a/site-modules/profile/manifests/base.pp b/site-modules/profile/manifests/base.pp
index a965c41..c8b6d89 100644
--- a/site-modules/profile/manifests/base.pp
+++ b/site-modules/profile/manifests/base.pp
@@ -6,7 +6,7 @@ class profile::base {
   include ::profile_allow_ssh_from_bastion
 #  include ::profile_email
   include ::profile_pam_access
-#  include ::profile_sudo
+  include ::profile_sudo
 #  include ::profile_timezone
   include ::profile::sssd
   include ::sshd